Are you DROWNing?

Posted 01.03.2016 in Security by Kim Halavakoski

 

Today a new SSL attack was released named DROWN Attack. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. You can read all the nasty details here DROWN Attack (CVE-2016-0800)

To protect against DROWN, sysadmins need to disable the user of the obsolete and unsecure protocol SSLv2 on web servers, mail servers and any software that uses and supports SSL/TLS. Make sure that your SSL certificate private keys are not used for any service where SSLv2 is enabled as this would enable an attacker to compromise the key.

Deductive Labs takes security seriously and we don’t use SSLv2 on any of our servers and only accept TLS1.1 and 1.2. We decided to publish our Nginx SSL configurations in our GitHub sslconfig repository so that others can read and use it if needed.

The original DROWN research paper can be found here

 

 

 

 

 

Written by Kim Halavakoski

Kim is a hacker-minded, technology-geek that loves challenges. Having worked in the IT-industry for over a decade in ISP and large-scale financial networks configuring firewalls, networks, security technologies, log management/SIEM, automation, assessing risks and writing policies and governance processes.

Related articles

Keeping secrets in AWS

The ability to keep secrets is very important on the internet. There is always someone who tries to get access to anything that is available. A common way to keep…

I Encrypt, therefore I Am

In this age of global surveillance and spying, encrypting communications has become the standard. Companies, big and small, are finally taking the necessary steps to encrypt all their traffic traversing…

Auditing Automation

The use of automation has fundamentally changed the IT landscape and made us more efficient in managing our increasingly complex environments. In this post I will explore the benefits and…