Now that SSL Labs has support for checking for DROWN, I've rescanned my
Alaskan TLS list and updated the results here:
http://www.techsolvency.com/tls/
When the researchers said that ~33% of HTTPS servers were affected, they
were not kidding. You are probably sharing more RSA keys across systems
than you realize.
4693: no DROWN
2577: DROWN vuln
1030: DROWN unknown (still checking these, may be vulnerable)
Also remember to not ignore unintentional, expired, or misconfigured
hosts. If you have invalid TLS setups out there, their shared key material
makes other hosts just as vulnerable, so also check the "invalid" list here:
http://www.techsolvency.com/tls/invalid.html
Keep in mind that the test.drownattack.com results tell you what kind of
vulnerable you are. Eavesdropping exposure is the most common issue. If
you have HTTPS set up on purpose, it is probably to avoid that ... so it
probably deserves some attention. :)
I'm still working some bugs out. The "DROWN vuln" links that include an IP
work fine, but some of the ones that try to look up the hostname fail,
because I incorrectly derived what the URL should look like. Workaround is
to follow the small "Qualys" link on the left under your hostname in the
first column, which will show you the current results.
As usual, this is all about Alaskan herd health. Please contact me on list
or directly if you need any advice - 100% pro bono consulting to address
Alaskan exploitable TLS issues - within reason. :)
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 7 05:47:52 2016
This archive was generated by hypermail 2.1.8 : Mon Mar 07 2016 - 05:47:52 AKST