Not drowning here
So far the sites I've checked aren't DROWN vulnerable.
You should have stopped supporting SSLv2 by now, end of.
Response to the critical web-crypto-blasting DROWN vulnerability in SSL/TLS by cloud services has been much slower than the frantic patching witnessed when the Heartbleed vulnerability surfaced two years ago. DROWN (which stands for Decrypting RSA with Obsolete and Weakened eNcryption) is a serious design flaw that affects …
Just checked. Yep, we're still supporting everything except SSL 2.0 in our browsers because if we didn't websites people use for work on a regular basis broke.
We tried disabling per recommendations, but gave up under the deluge of complaints from people who couldn't perform the work they were tasked to do.
Now I get that that is on the browser not server side, but it still says something about the servers out there. Too much buggy old crap out there (mostly training sites from what I recall, but given our employees HAVE to go to those sites for your yearly internal certification, there isn't much choice in the matter).
The German BSI (Federal Office of IT Security) has been contacting the various ISPs / data centres after scanning them and providing lists of probably vulnerable. Intern the ISPs are contacting the relevant server owners. Would be nice to see more of this, even if the initial e-mail suggested that there might have been a security breach and that the server would be shutdown if no action was taken.
I did have to fix one system but was able to track down the relevant instructions pretty easily. It's an older Debian system and gave me another reason to curse "packaged systems". Compiling and installing a new version of openssl was no problem. But, of course, you have to deal with non-standard paths and then configure the relevant services (e-mail, mainly). The server is due for an upgrade to something newer but there are no convenient tools for migrating things like e-mail addresses. :-/
Good place to start if you need to check.
See the difference in the starting figures? 520. It likely means that a huge number of providers (cloud or otherwise) were not suspectible to Drown to begin with, because they ditched SSL v2 ages ago -- like any sensible person would have done.
So the majority of those 520 providers were never among the 33 companies which have responded to Drown, because they didn't need to.
You can't take numbers at face value and completely ignore that only stupid providers would still have been suspectible to Drown after it hit the headlines, because SSL v2 and v3 have been known to be unfit for purpose for quite some time now and sensible providers and sys admins would have known that.
Skyhigh Networks' Cloud Security Labs have discredited themselves, and El Reg shares the guilt for believing and blindly printing what the EMEA Marketing Director said...
I'm not sure the downattack site was even accurate to begin with.
It told me that some of our IPs/servers were vulnerable. But we haven't supported or allowed SSLv2 for years.
...a couple of days after it appeared on BBC, checked again and we had supposedly now fixed it, but it was never "not fixed"
Biting the hand that feeds IT © 1998–2020