DROWN Attack (CVE-2016-0800).

DROWN (Decrypting RSA with Obsolete and Weakened eNcryption), CVE-2016-0800, was disclosed on 1 March 2016 by Aviram, Schinzel, Somorovsky et al. It is a cross-protocol attack: SSLv2 still negotiates 40-bit export RSA cipher suites, and its handshake leaks whether a ciphertext is correctly PKCS#1 v1.5 padded. That makes an SSLv2 server a Bleichenbacher padding oracle. Crucially, the vulnerable SSLv2 service need not be the target — if any service shares the same RSA private key/certificate (e.g., an old SMTP or IMAP server reusing the web server's key), the attacker can passively record modern TLS handshakes and decrypt the session keys offline.

The general attack needed roughly 1,000 recorded TLS connections and about 2^50 work — feasible for under USD 440 of cloud compute at the time. A far worse "special DROWN" variant exploited an OpenSSL bug (CVE-2016-0703) that let an active attacker decrypt a single TLS session in minutes on a laptop. Researchers estimated about 33% of all HTTPS servers were vulnerable. Mitigations: disable SSLv2 on every service, upgrade OpenSSL to 1.0.2g/1.0.1s, and never reuse a private key or certificate across SSLv2-capable and modern endpoints.

flowchart TD
  A[Client] -->|Modern TLS handshake| B[Secure TLS server]
  C[Attacker] -->|Passively records<br/>RSA-encrypted handshakes| B
  C -->|Sends crafted ciphertexts| D[SSLv2 server<br/>same RSA key/cert]
  D -->|Padding-oracle responses<br/>export cipher| C
  C --> E[Recover TLS session key<br/>Bleichenbacher / DROWN]
  E --> F[Decrypt captured session<br/>HTTPS / SMTPS / IMAPS]