Recently a new vulnerability hole was discovered and it was named Heartbleed, and now we are facing a new exploit.
DROWN, new vulnerability in the OpenSSL, affects servers that use SSLv2. This vulnerability was discovered quite recently. Attackers are able to decipher your HTTPS-connection, where transmitted passwords or credit card numbers. More than 33 percent of all servers proved vulnerable to new threats. Much less than in the case with the Heartbleed detection, but it is still a fairly large number.
Among the sites that were vulnerable appeared Yahoo, Alibaba, Weibo, BuzzFeed, Weather.com, Flickr and Samsung. Vulnerability has been identified in the process of updating OpenSSL. The patch is ready, however, exploit attack is very simple.
DROWN allows attackers to decrypt HTTPS by sending specially crafted packets to the server. This attack is also possible in the case where certificate is shared on multiple servers, that allows you to effectively start the attack Man-in-the-Middle.
SSLv2 has its roots as far back as the 1990s. He often turns on automatically when you configure a new server. For this reason DROWN still carries a risk. According to the DROWN site, an attack may last less than a minute and can be actively used at the moment when it was disclosed. All the fault lies with the US government, which used weak cryptography in the 1990s.
To defend against an attack, you need to make sure that you have disabled SSLv2. You should also make sure that the private key does not share between other servers. For vulnerable servers you do not need to re-issue certificates, but you need to perform all the necessary steps to prevent possible attack exploitation.