New HTTPS vulnerability: DROWN

by admin on

Another known attack to old SSLv2 … Welcome, if I can say so, to Decrypting RSA with Obsolete and Weakened eNcryption, a.k.a. DROWN .

To Windows Server (2008 up) users, if you didn’t mess too much around with registry keys, SSLv2 should be already disabled.

To Linux/Unix users, you should disable SSLv2 and, if you didn’t already, update OpenSSL to one of the most recent versions. It seems that are vulnerable only versions older than march 2015.

I wouldn’t signore this vulnerability, for,as I understood, it exposes you private key for HTTPS encryption in a very limited amount of time – 8 to 16 hours or even less.

So please disable SSLv2 and check that TLS is not using it for legacy support.

For more information regarding DROWN vulnerability, read this excellent (even if a little technical) article from ArsTechnica.com:

More than 11 million HTTPS websites imperiled by new decryption attack

Written by: admin

Lascia un commento

Il tuo indirizzo email non sarĂ  pubblicato. I campi obbligatori sono contrassegnati *