Message boards : Projects : DROWN Attack
Message board moderation
Author | Message |
---|---|
Send message Joined: 29 Aug 05 Posts: 15563 |
Something for project administrators who read here to check into, or anyone who runs their own server, really. See if your server is safe from a DROWN attack: https://drownattack.com/# DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication. They have a checker on the site to see if your domain is vulnerable. David ran it on the Berkeley domain and found that BOINC and Seti@Home are not vulnerable. Phew. |
Send message Joined: 29 Aug 05 Posts: 15563 |
Additionally: https://mta.openssl.org/pipermail/openssl-announce/2016-March/000066.html OpenSSL Security Advisory [1st March 2016] ========================================= NOTE: With this update, OpenSSL is disabling the SSLv2 protocol by default, as well as removing SSLv2 EXPORT ciphers. We strongly advise against the use of SSLv2 due not only to the issues described below, but to the other known deficiencies in the protocol as described at https://tools.ietf.org/html/rfc6176 Cross-protocol attack on TLS using SSLv2 (DROWN) (CVE-2016-0800) ================================================================ Severity: High A cross-protocol attack was discovered that could lead to decryption of TLS sessions by using a server supporting SSLv2 and EXPORT cipher suites as a Bleichenbacher RSA padding oracle. Note that traffic between clients and non-vulnerable servers can be decrypted provided another server supporting SSLv2 and EXPORT ciphers (even with a different protocol such as SMTP, IMAP or POP) shares the RSA keys of the non-vulnerable server. This vulnerability is known as DROWN (CVE-2016-0800). ... |
Copyright © 2024 University of California.
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,
Version 1.2 or any later version published by the Free Software Foundation.