back to article F5 DROWNing, not waving, in crypto fail

If you're an F5 BIG-IP sysadmin, get patching: there's a bug in the company's RSA implementation that can give an attacker access to encrypted messages. As the CVE assignment stated: “a virtual server configured with a Client SSL profile may be vulnerable to an Adaptive Chosen Ciphertext attack (AKA Bleichenbacher attack) …

  1. John Smith 19 Gold badge
    Gimp

    But note "Significantly more difficult" does not mean impossible

    Especially with state actors.

  2. Sir Runcible Spoon Silver badge
    Paris Hilton

    Eh?

    "(Decrypting RSA with Obsolete and Weakened Encryption)"

    Surely that would be DROWE then?

    1. NoneTheFewer

      Re: Eh?

      DR SAOWE!

    2. Deltics
      Boffin

      Re: Eh?

      Encryption -> "En..." -> N

      As in "Dee Are Oh Double-You En"

      Unless you spell out DROWN as "Duh Ruh O Wuh Nuh". :)

      1. Sir Runcible Spoon Silver badge
        Joke

        Re: Eh?

        I see what you are saying Deltics (and I understand that some acronyms borrow letters from a word subsequent to the first) but it still doesn't make any sense.

        Also, it was just a joke :P

  3. teknopaul Silver badge

    Did I miss something, seems like an F5 misconfigured to permit downgrade attacks is vulnerable to downgrade attacks.

    1. EnviableOne Bronze badge

      Nah just the BIG-IP with big Intelectual Property holes in it again

  4. Anonymous Coward
    Anonymous Coward

    Cloudflare's statement is incorrect

    The RSA key is NEVER in danger of being exposed here. The easiest fix is to use ECDHE:DHE instead of RSA for key exchanges. “DEFAULT:!RSA” or “ECDHE:DHE” makes this a non-issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019