Today a new SSL attack was released named DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. You can read all the nasty details here DROWN Attack (CVE-2016-0800)
To protect against DROWN, sysadmins need to disable the user of the obsolete and unsecure protocol SSLv2 on web servers, mail servers and any software that uses and supports SSL/TLS. Make sure that your SSL certificate private keys are not used for any service where SSLv2 is enabled as this would enable an attacker to compromise the key.
Deductive Labs takes security seriously and we don’t use SSLv2 on any of our servers and only accept TLS1.1 and 1.2. We decided to publish our Nginx SSL configurations in our GitHub sslconfig repository so that others can read and use it if needed.
The original DROWN research paper can be found here
