New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
The DROWN Attack - new vulnerability (https)
DROWN is a serious vulnerability that affects HTTPS and other services that rely on SSL and TLS, some of the essential cryptographic protocols for Internet security. These protocols allow everyone on the Internet to browse the web, use email, shop online, and send instant messages without third-parties being able to read the communication.
DROWN allows attackers to break the encryption and read or steal sensitive communications, including passwords, credit card numbers, trade secrets, or financial data. Our measurements indicate 33% of all HTTPS servers are vulnerable to the attack.
Comments
Where is @raymii when you need him?!
@tehdan: As long as you don't allow SSL2 anywhere you should be fine, atleast that is what I get from that article. And any sysadmin which still allows SSL2 on its servers should be slapped into the face, imho.
TL;DR OpenSSL 1.0.2 users are strongly advised to upgrade to OpenSSL 1.0.2g and OpenSSL 1.0.1 users are recommended to upgrade to OpenSSL 1.0.1s.
https://www.openssl.org/news/secadv/20160301.txt
http://thehackernews.com/2016/03/drown-attack-openssl-vulnerability.html
another one? WTF
Same as https://www.lowendtalk.com/discussion/77243/the-drown-attack-new-vulnerability-https#latest correct ?
Yea. Did I quick search but missed that.
Here's a page where you can check.
I don't think that SSLv2 has been enabled on any operating system for a long time though. Debian dropped it as default before wheezy. FreeBSD doesn't have it either. So who does?
Does anybody know of any operating system where SSLv2 is still enabled by default for servers?
Put a stop to security issues with SSL. Disable HTTPS and ride port 80 with the pros.
Or just put up .onion sites instead.
I did disable SSL v2 on my Webservers and there Test was Negativ.
But no idea about SSH if that is still used.
Meh. If you've kept up your software and packages the last 10 years you're fine. If not, your head's up your ass and it's your own fault.
Dumb question, but would reboot be necessary after installing updates?
No, but it's a lot quicker and safer than making sure you've restarted the right services.