[Cryptography] DROWN attack on SSLv2 enabled servers
Perry E. Metzger
perry at piermont.com
Tue Mar 1 10:07:11 EST 2016
TL;DR: if you have an TLS/SSL enabled service running on your
machines that willingly speaks SSLv2, you need to upgrade your systems
immediately, preferably by updating your SSL implementation but
at the very least permanently turning off SSLv2. This is because
SSLv2 can be used in an oracle attack to decrypt sessions that used
more secure versions of the TLS/SSL protocol.
https://drownattack.com/
Paper is at https://www.drownattack.com/drown-attack-paper.pdf
Perry
--
Perry E. Metzger perry at piermont.com
More information about the cryptography
mailing list