DROWN stands for "Decrypting RSA with Obsolete and Weakened Encryption", a report of https://drownattack.com/ raises concerns about encrypted communications to be attacked. It affects HTTPS and other services used SSL version 2.

Some of the essential protocols for internet security are affected. An attacker could depry sercure HTTPS for passwords, credit card numbers in few minutes.

More than 3.5 milllion HTTPS servers are being put in vulnerable situation, estimated researchers of report. Victims could be anyone surfing on internet browers, emails, shopping or via instant messages. Attackers can strip encrypted connection to read the communication.

The attack is not trivial and against high value targets, to decrypt a ciphertext when a padding oracle exists. One for 1.000 TLS handshakes can be decrypted to compromise the whole TLS session.

About 38% of HTTPS servers and 22% browers are vulnerable to protocol attacks. One-quarter of the top Alexa's listed million sites are able to break TLS via SSL v2 attacks. Attackers gain communication between users and the server, stated researchers.

The information can be usernames, passwords, credit card numbers, emails, etc. An attacker can also impersonate a website and changes the content the user sees.

This kind of attack is serve and widespeadly impacted on Internet. The risk of data is sensive and the threat should be exposed seriously. Companies should test their environments and remediate as quickly as possible

DROWN is a serious attack and can be prevented via measures that recommended to server operators and administrators, said chief scientist at Dyadic. That involves to disable SSL v2 and even SSL v3, by configuring the server. This does not require update the server software and can prevent through configuration only.

The proper method is to disable SSL v2 everywhere and ensure that your private keys are not shared with any server used SSL v2.

One important nuance is that if you forget to update and disable SSLv2, it can put your up to date systems using other protocols like TLS at risk, due to the shared RSA key between them.

The threat undermines the communication confidentiality on TLS/SSL encrypted protocols, such as HTTPS which is frequently used in ecommerce sites. They can prevent the issue from disabling SSLv2 protocol in their servers, including HTTP, IMAP, POP and SMTP servers.

Servers that are not disabled SSL v2 protocol and are not patched for CVE-2015-3197, to be vulnerable to DROWN even if all SSLv2 ciphers disabled. Malcious clients can force the use of SSLv2 with EXPORT ciphers.

SSLv2 goes back to 1995 when it had several flaws and a reason for the release of SSLv3 in 1996. However SSLv2 and SSLv3 were deprecated in 2011 and 2015, should be disabled regardless of DROWN vulnerability

The fix is fairly easy, just disable support for SSLv2. The SSLv2 threat is severe because it allows hackers to intrude on secure data. Individual computer users are at the mercy of those who run servers. They can't do anything on their ends. Only server operators are able to take action against attacks, according to Aviram co-report author.