DROWN is short for Decrypting RSA with Obsolete and Weakened eNcryption and it depends on a “back door” “EXPORT_GRADE” put into US products by law until 2000.
Supposedly, it would keep our regular communications secure from hackers but accessible to folks like the NSA so they could get a leg up on criminals of all sorts.
So outcomes of EXPORT_GRADE? KIlled sales for US products since foreign companies could produce full strength products. and it left us with weak, now very easily crackable products.
So, the law was repealed, but the weak code apparently wasn’t known by everyone, and wasn’t changed to stronger code. So, FREAK and LOGJAM happened – they were “backdoor” attacks in 2015.
The DROWN attack is similar giving hackers a miniscule but fighting chance of breaking in and would cost about $440 in Cloud computing costs, with the promise of much larger “rewards”. It works against servers which support TLS and SSL2 and EXPORT_GRADE ciphers.
SSL@ has been knwn for half a decade to be insecure, and shouldn’t exist any more.
So, TLS and SSL2 have the same “backend” and TSL info can be ‘sniffed’ if SSL2 is there.
“if you run a service consisting of multiple servers configured identically, perhaps even across multiple sites, you could make all of them vulnerable simply by forgetting to turn off SSL 2 on just one of them.” – Sophos
So…allow no software with “EXPORT_GRADE” or SSL2 on your servers…
This is yet another example of how “back doors” weaken everyone’s security, and why Apple shouldn’t cave.
Source:
https://nakedsecurity.sophos.com/2016/03/02/the-drown-security-hole-what-you-need-to-know/