[aklug] Re: cached Alaskan Qualys SSL Labs results now updated for DROWN

From: Royce Williams <royce@tycho.org>
Date: Mon Mar 07 2016 - 07:53:57 AKST

A few caveats:

- This first pass is based on older DNS dumps from October. I'll be
processing newer DNS dumps in the next day or so. So if you have new A
records since October, I haven't scanned them yet.

- My best understanding of remediation is to disable SSLv2 everywhere you
can, and generate new RSA keys for all (even indirectly) affected hosts.

- The Qualys tester only tests 443, so if you have non-443 hosts, you'll
need to check them yourself using one of the other resources here:

http://www.techsolvency.com/story-so-far/cve-2016-0800_sslv2-drown/

- This is a volunteer best effort, and no substitute for you nmapping your
own IP space on all ports for SSL, dumping zones out of your DNS, etc to
run this stuff to ground.

- Qualys only tests HTTPS, so any other protocols -- SSL VPNs, POP, IMAP,
etc -- will also need to be checked for DROWN.

Royce

On Mon, Mar 7, 2016 at 7:29 AM, Royce Williams <royce@tycho.org> wrote:

> Now that SSL Labs has support for checking for DROWN, I've rescanned my
> Alaskan TLS list and updated the results here:
>
> http://www.techsolvency.com/tls/
>
>

---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Mon Mar 7 06:12:08 2016

This archive was generated by hypermail 2.1.8 : Mon Mar 07 2016 - 06:12:08 AKST