Editing Transport Layer Security (section)

====Cross-protocol attacks: DROWN====
{{Main|DROWN attack}}
The [[DROWN attack]] is an exploit that attacks servers supporting contemporary SSL/TLS protocol suites by exploiting their support for the obsolete, insecure, SSLv2 protocol to leverage an attack on connections using up-to-date protocols that would otherwise be secure.<ref>{{cite web|url=https://www.theregister.com/2016/03/01/drown_tls_protocol_flaw|title=One-third of all HTTPS websites open to DROWN attack|last=Leyden|first=John|date=1 March 2016|website=The Register|access-date=2016-03-02|url-status=live|archive-url=https://web.archive.org/web/20160301215536/http://www.theregister.co.uk/2016/03/01/drown_tls_protocol_flaw|archive-date=1 March 2016}}</ref><ref name=ars201603>{{cite web|url=https://arstechnica.com/information-technology/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack|title=More than 11 million HTTPS websites imperiled by new decryption attack|website=Ars Technica|date=March 2016|access-date=2016-03-02|url-status=live|archive-url=https://web.archive.org/web/20160301191108/http://arstechnica.com/security/2016/03/more-than-13-million-https-websites-imperiled-by-new-decryption-attack|archive-date=2016-03-01}}</ref> DROWN exploits a vulnerability in the protocols used and the configuration of the server, rather than any specific implementation error. Full details of DROWN were announced in March 2016, together with a patch for the exploit. At that time, more than 81,000 of the top 1 million most popular websites were among the TLS protected websites that were vulnerable to the DROWN attack.<ref name=ars201603/>