SSL Labs – Sunsetting DROWN Test

Ramesh Ramchandran
Ramesh Ramchandran
- 2 min read

Table of Contents

Six years ago, the DROWN Attack Research team discovered the DROWN vulnerability and its different attack methods. In response to the discovery of the DROWN attack, Qualys published a blog post explaining this vulnerability and what and how we test it. Qualys also released an update to respond to this discovery.

Why are we discontinuing the DROWN test?

Qualys has been testing this vulnerability since July 2016 in collaboration with the DROWN Attack Research team. We found that out of the 134,236 sites surveyed in May 2022, only 250 sites (0.2%) were vulnerable to the DROWN attack.

We are discontinuing the DROWN test because the DROWN Attack Research team disabled APIs at their end. As a result, our next SSL Labs release will disable full-fledged tests of this vulnerability and disable the DROWN Attack Pie chart in the SSL Pulse dashboard.

What to expect in the new release?

After we disable full-fledged DROWN tests, you will notice a slight change in the UI.

Current UI:

Updated UI:

Note: Our updated UI will continue to flag SSLv2 domains as DROWN vulnerable.

Do APIs need to be updated?

  • SSL Labs will not send the parameters used for the Drown Vulnerability, so no API changes are needed.
  • Under the EndpointDetails section, drownHosts[], drownErrors[], and drownVulnerable will not be sent as a response. You can read more about it here: SSL Labs API v4 Documentation v2.x.x.

Thanks to the DROWN attack team

Qualys thanks the DROWN attack team (J. Alex Halderman, David Adrian, and others) for their contributions and support in making DROWN tests available for SSL Labs. We truly appreciate their support.

And that’s all for now! Do contact us if you have any questions.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *