Security advisories

DROWN Attack & Fastly

March 1, 2016

Summary


Today in conjunction with an OpenSSL Security Advisory several researchers announced a new attack on HTTPS they are calling “Decrypting RSA with Obsolete and Weakened Encryption,” or DROWN. Due to Fastly’s existing TLS configuration, our services, and customers using Fastly as their CDN, are not vulnerable to this attack.




Impact


None. Our existing configuration was not vulnerable to DROWN.




Fix / Workarounds


No customer action is required.




Detail


Exploiting the DROWN vulnerability relies on a private key being used with a server that supports SSLv2 in addition to modern protocol versions. Fastly has disabled SSLv2 and SSLv3 in our edge HTTPS configuration since Oct 2014, supporting only TLS 1.0 and higher. We exclusively deploy the most up-to-date OpenSSL release available. Similarly, we do not support weakened export grade cipher suites. Private keys generated by or entrusted to Fastly for HTTPS are not used for any other encrypted services (SMTP, etc.).



Attacks focused on exploitation of deprecated or weak cryptography deployed for backwards compatibility remains a challenge for the security community. Fastly is committed to striking a balance that removes unsafe technology quickly while working with our customers and their users on migration.




More information


You can learn more on the DROWN Attack homepage, the author’s Q&A, and the technical paper. Today’s OpenSSL Security Advisory contains additional detail specific to OpenSSL.

Subscribe to security advisories.

By creating an account you agree to the Terms of Service and acknowledge our Privacy Policy.

Ready to get started?

Get in touch or create an account.