DROWN vulnerability
Dogsbody Technology maintenance customers are already protected against the newly disclosed DROWN attack, but as of the 1st March, 33% of all HTTPS sites are affected by this vulnerability.
The DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) vulnerability affects HTTPS and other services that rely on SSL and TLS, these cryptographic protocols that make security over the Internet possible.
The attack affects all SSLv2 servers and allows attackers to decrypt HTTPS traffic during transfer letting them spy on traffic. In some cases encryption can be broken within minutes!
The fix web servers is to disable SSLv2 support:
- For Apache:
SSLProtocol all -SSLv2 -SSLv3
- For Nginx:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
For more information on the attack and research paper take a look at the official DROWN Attack website.
Dogsbody Technology are Linux SysAdmin’s, building secure scalable reliable servers for the internet. We keep our servers up-to date and in doing so have already mitigated this attack.
If you want your site checked or have any questions please contact us.
Leave a Reply
Want to join the discussion?Feel free to contribute!