SSL Labs Fortifies Security with New DROWN Tests
SSL Labs has bolstered its security measures with the deployment of DROWN tests in its staging environment, with a move to production imminent. The new tests aim to combat the recently discovered DROWN vulnerability, which exploits SSL v2's insecurity to attack other protocols.
SSL Labs employs Censys' API to identify vulnerable servers in its dataset and conduct real-time checks for DROWN vulnerabilities. The DROWN attacks target OpenSSL versions 1.0.2 and 1.1.0 on servers supporting SSLv2, as well as certain versions of other TLS libraries that enable SSLv2.
The DROWN vulnerability introduces two additional attack vectors. Firstly, generic attacks target servers reusing RSA keys. Secondly, attacks focus on servers running vulnerable OpenSSL versions. SSL Labs considers a server vulnerable if its RSA keys or certificate hostnames are found elsewhere, even if the server itself is not vulnerable.
Manually checking SSL Labs results might lead to connection issues with SSL v2, but the server could still be vulnerable due to a specific OpenSSL variant.
SSL Labs' DROWN tests enhance server security by identifying potential vulnerabilities. The tests consider a server vulnerable if matching credentials are found elsewhere, regardless of its current configuration. As DROWN exploits SSL v2's insecurity to attack other protocols, these tests are crucial for maintaining robust security.
Read also:
- Trump and Xi speak over the phone, according to China's confirmation.
- Prices of transit tickets in Berlin and Brandenburg are on the rise
- Linde Wins Major Engineering Design Contract for Equinor's Low Carbon Hydrogen Project at H2H Saltend, Progressing Towards a Greener Future
- Economic Growth of Nitric Acid for Electronic Applications Anticipated to Reach 5.8% by 2034
