Mar/02
2016

DROWN goes around the world

For those of you who haven't heard, DROWN is a vulnerability in SSL. In short, there are already plenty of complicated descriptions out there but in short if you server supports SSLv2 (that is on any service like POP3 or IMAP not just HTTPS) an attacker could easily crack the private key from that certificate and therefor has also the private key to every other service that uses that certificate.

For instance twitter's webserver was not vulnerable but a few of their mailservers in the back still had SSLv2 support. In that case one could have cracked the private key for twitters certificate and used it either to spy on the traffic or impersonate twitter. I think you can come up with why someone would do that at your own.

However as a side note, I just launched my new project ( https://uleak.de/ ) yesterday which actually has a self made scanner for DROWN free to use for everyone. By the way the scan available on my page is realtime, not just a database query like https://drownattack.com/