March 4, 2016

Posted in:


The Recent Attack Against SSLv2 – What is DROWN?

What is DROWN?

1996 called and it wants the SSLv2 protocol back. But seriously, you may have heard about a recent attack against SSLv2 called DROWN. More information is available here: https://drownattack.com/

So what is DROWN? This attack targets the SSLv2 protocol if it is enabled. Since the protocol was deprecated in 1996 and replaced with more recent protocols, we recommend disabling the protocol. The good news is that if you are a customer of ours and didn’t hear from us about the vulnerability via our ticketing system, your servers are unaffected and safe from this issue. If you were contacted, it’s important to note that this can affect any service using SSLv2, not just web traffic. For example, if you have SSLv2 enabled as part of your mail application, that application is affected and should either be upgraded or the protocol turned off completely, if possible for the version of the application. Related, if that certificate is in use elsewhere even on a server that is not affected by this, you should consider reissuing the SSL with your SSL vendor.

Common Questions about DROWN

How do I know if I am affected?

If a ticket was generated for your server in the Edge Customer Portal, your server is affected. We have no reason to believe that this is being actively exploited in the wild. We still recommend removing the protocol regardless.

Is my browser affected by this?

No, it is not. There’s no need to update your browser due to this vulnerability. However as a general practice, we recommend keeping it up-to-date as other vulnerabilities are mitigated with security updates.

What are the current recommend protocols?

Edge recommends using TLSv1.1 and TLSv1.2 preferably as TLSv1 will be phased out in June 2018 per PCI standards.

Can we filter out SSLv2 traffic entirely?

Edge has already taken the proactive step of disallowing SSLv2 traffic on the network as part of the 5-tier Security employed.

 

If you have any questions about your environment be sure to contact our support team, which is available 24/7/365 and entirely US based, at 866-334-3932. If you are not already securing your infrastructure with Edge Hosting, contact us for a custom complimentary analysis of your current environment.

Go back