‘Drown’ Vulnerability in SSLv2 and TLS.
This week sees a new vulnerability in SSLv2 and TLS. The ‘Drown’ vulnerability standing forĀ “Decrypting RSA using Obsolete and Weakened eNcryption”, this is already sounds pretty harrowing to anyway in the security field, anything with RSA decryption and weakened encryption you know is not going to be good. Matthew Green does a great job in explaining all about this so I won’t attempt to regurgitate his excellent explanation, other than to highlight the issue and to say this doesn’t look good at all and I encourage you to read his blog and take note of this vulnerability:
http://blog.cryptographyengineering.com/2016/03/attack-of-week-drown.html
This just highlights that fact that when a penetration tester tells you you still have SSL issues present on your sever you should definitely look into doing something about it as described by myself here: https://www.adamcouch.co.uk/2015/09/10/changing-ssl-tls-cipher-suites-in-windows-and-linux/