Are you DROWNing?

Posted 01.03.2016 in Security by Kim Halavakoski

 

Today a new SSL attack was released named DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. You can read all the nasty details here DROWN Attack (CVE-2016-0800)

To protect against DROWN, sysadmins need to disable the user of the obsolete and unsecure protocol SSLv2 on web servers, mail servers and any software that uses and supports SSL/TLS. Make sure that your SSL certificate private keys are not used for any service where SSLv2 is enabled as this would enable an attacker to compromise the key.

Deductive Labs takes security seriously and we don’t use SSLv2 on any of our servers and only accept TLS1.1 and 1.2. We decided to publish our Nginx SSL configurations in our GitHub sslconfig repository so that others can read and use it if needed.

The original DROWN research paper can be found here

 

 

 

 

 

Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Ready for 2021?

The Maritime business is facing huge challenges with managing Cyber Security in their environments. The maritime regulator, International Maritime Organization IMO, has updated their regulations and guidelines to include cyber…

Congrats Kim!

Yesterday Thursday 7.11 CSO Kim Halvakoski was elected as a new board member of Tietoturva Ry, the official Finnish cybersecurity society. The national organisation maintains around 800 specialists and professionals…

Kritisk sårbarhet i Microsoft Remote Desktop(RDP)

En kritisk sårbarhet har hittats i Microsofts Remote Desktop Services, eller RDP.  Remote Desktop Services(RDP) - tidigare känd som Terminal Services, används för fjärrstyrning av Microsoft Windows operativsystem. Sårbarheten är…