Tuesday, March 1, 2016

Vulnerable to DROWN?

I'm told you can protect yourself against DROWN and POODLE by ensuring SSLv2 and v3, respectively, are disabled, but do your own research and do at your own risk.

To check whether you're vulnerable, you could take a look at: https://www.drownattack.com/

But... it might be lying. Kind of.

If you use: https://test.drownattack.com/?site=yourhost.yourdomain to test, it only looks at the cert. SSLv2 and SSLv3 can be disabled at the server level, though.

So, also try: https://foundeo.com/products/iis-weak-ssl-ciphers/test.cfm?test_domain=yourhost.yourdomain which might actually test it.

You could also try testing yourself with nmap, if allowed: https://nmap.org/nsedoc/scripts/sslv2.html

However, it's not as simple as that, so drownattack.com's assessment might be the safest.

I'm told that a server is vulnerable to DROWN if EITHER it allows SSLv2 connections OR its private key is used on any other server that allows SSLv2 connections, even for another protocol. If server A and server B share the same private key, and server A supports SSLv2 and server B does not, then an attacker can take advantage of server A to break TLS connections to server B.

So, to be safe, if drownattack.com says you are vulnerable, assume you might be.

No comments: