[bdNOG] SSLv2 DROWN Attack

• Previous message: [bdNOG] SSLv2 DROWN Attack
• Next message: [bdNOG] SSLv2 DROWN Attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

*Possible solution :*

*- Disable SSLv2*

Network administrators should disable SSLv2 support. The researchers have
provided more information on how to disable SSLv2 for various server
products.

Network administrators can determine if a server supports SSLv2 with the
following command:

openssls_client -connect host:443 -ssl2

If certificate information is returned, then SSLv2 is supported.

SSLv2 has been deprecated since 2011.

*- Do not reuse SSL certificates or key material*

This issue can be mitigated on TLS connections by using unique SSL keys and
certificates. If possible, do not reuse key material or certificates
between SSLv2 and TLS support on multiple servers.

*- Monitor network and use firewall rules*
Recommend enabling firewall rules to block SSLv2 traffic. Since the attack
requires approximately 1000 SSL handshakes, network administrators may also
monitor logs to look for repeated connection attempts. However, this data
may also be obtained via man-in-the-middle or other attacks, not solely
from direct connections.



*Stay secure ;\*



On Wed, Mar 2, 2016 at 6:02 PM, Anurag Bhatia <me at anuragbhatia.com> wrote:

> Interesting (and scary!)
>
>
>
> Thanks for sharing Jahangir.
>
> On Thu, Mar 3, 2016 at 12:28 AM, Jahangir Hossain <jrjahangir at gmail.com>
> wrote:
>
>> Dear members ,
>>
>> Network traffic encrypted using an RSA-based SSL certificate may be
>> decrypted if enough SSLv2 handshake data can be collected. Exploitation of
>> this vulnerability - referred to as DROWN in public reporting - may allow a
>> remote attacker to obtain the private key of a server supporting SSLv2.
>>
>> ​For more information please visit ,
>>
>>
>> https://www.us-cert.gov/ncas/current-activity/2016/03/01/SSLv2-DROWN-Attack
>>
>>
>> https://www.us-cert.gov/ncas/current-activity/2016/03/01/OpenSSL-Releases-Security-Advisory
>> ​
>>
>>
>>
>> *Regards / Jahangir*
>> *​ | Open Comm​*
>>
>>
>>
>>
>> _______________________________________________
>> nog mailing list
>> nog at bdnog.org
>> http://mailman.bdnog.org/mailman/listinfo/nog
>>
>>
>
>
> --
>
>
> Anurag Bhatia
> anuragbhatia.com
>



-- 
*Regards / Jahangir*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.bdnog.org/pipermail/nog/attachments/20160302/6bacede5/attachment.html>

• Previous message: [bdNOG] SSLv2 DROWN Attack
• Next message: [bdNOG] SSLv2 DROWN Attack
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]