back to article Cloud sellers who acted on Heartbleed sink when it comes to DROWN

Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects …

  1. Millennia

    Not drowning here

    So far the sites I've checked aren't DROWN vulnerable.

    You should have stopped supporting SSLv2 by now, end of.

    1. streaky

      Re: Not drowning here

      And SSlv3. Long ago..

      The starting position is DROWN shouldn't work because nobody uses < TLS 1.0 anyway.. Would inevitably raise questions about people affected and gross negligence.

      1. Anonymous Coward
        Anonymous Coward

        Re: Not drowning here

        Until they got complaints from people stranded on SSL whose connections broke and we're threatening to defect...

      2. Anonymous Coward
        Anonymous Coward

        Re: Not drowning here

        Just checked. Yep, we're still supporting everything except SSL 2.0 in our browsers because if we didn't websites people use for work on a regular basis broke.

        We tried disabling per recommendations, but gave up under the deluge of complaints from people who couldn't perform the work they were tasked to do.

        Now I get that that is on the browser not server side, but it still says something about the servers out there. Too much buggy old crap out there (mostly training sites from what I recall, but given our employees HAVE to go to those sites for your yearly internal certification, there isn't much choice in the matter).

  2. MattPi

    I'd guess the people that acted on Heartbleed disabled SSLv2 entirely, so only the people that ignored Heartbleed are vulnerable to DROWN. Unless I've completely misunderstood the situation, that is.

  3. Charlie Clark Silver badge

    The German BSI (Federal Office of IT Security) has been contacting the various ISPs / data centres after scanning them and providing lists of probably vulnerable. Intern the ISPs are contacting the relevant server owners. Would be nice to see more of this, even if the initial e-mail suggested that there might have been a security breach and that the server would be shutdown if no action was taken.

    I did have to fix one system but was able to track down the relevant instructions pretty easily. It's an older Debian system and gave me another reason to curse "packaged systems". Compiling and installing a new version of openssl was no problem. But, of course, you have to deal with non-standard paths and then configure the relevant services (e-mail, mainly). The server is due for an upgrade to something newer but there are no convenient tools for migrating things like e-mail addresses. :-/

    Good place to start if you need to check.

  4. sysconfig

    Heartbleed: 1173 to 86; Drown: 653 to 620

    See the difference in the starting figures? 520. It likely means that a huge number of providers (cloud or otherwise) were not suspectible to Drown to begin with, because they ditched SSL v2 ages ago -- like any sensible person would have done.

    So the majority of those 520 providers were never among the 33 companies which have responded to Drown, because they didn't need to.

    You can't take numbers at face value and completely ignore that only stupid providers would still have been suspectible to Drown after it hit the headlines, because SSL v2 and v3 have been known to be unfit for purpose for quite some time now and sensible providers and sys admins would have known that.

    Skyhigh Networks' Cloud Security Labs have discredited themselves, and El Reg shares the guilt for believing and blindly printing what the EMEA Marketing Director said...

  5. Vince

    I'm not sure the downattack site was even accurate to begin with.

    It told me that some of our IPs/servers were vulnerable. But we haven't supported or allowed SSLv2 for years.

    ...a couple of days after it appeared on BBC, checked again and we had supposedly now fixed it, but it was never "not fixed"

  6. Anonymous Coward
    Anonymous Coward

    Potentially?

    "One-third of all HTTPS websites were potentially vulnerable..."

    Either they're vulnerable or they're not vulnerable.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020