A new attack makes all servers running SSLv2 vulnerable.
https://drownattack.com/
http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
Strongly recommend that you move to disable SSLv2 on affected systems.
Disabling SSLv2 is the best and fastest remedy, and likelihood of
impact of doing so is very, very low - all clients in the past decade
support TLS 1.0 as well.
Use this tool to make it easier on IIS:
https://www.nartac.com/Products/IISCrypto
In Apache, assuming mod_ssl:
SSLProtocol all -SSLv2 -SSLv3
Search for your affected domains here (working on an updated version ASAP)
http://www.techsolvency.com/tls/
... and use the search box for classful searches for your IP space,
your domains, or "SSLv2 on"
Note that the attack works even if SSLv2 is "soft disabled" by
disabling all SSLv2 ciphers.
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Mar 1 04:23:55 2016
This archive was generated by hypermail 2.1.8 : Tue Mar 01 2016 - 04:23:55 AKST