DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users
DROWN Vulnerability CVE-2016-0800 in OpenSSL Misses Most NGINX Users A new OpenSSL vulnerability (CVE-2016-0800), called DROWN, was recently announced. It affects older versions of several widely-used server technologies: SSLv2, an old version of the Secure Sockets Layer protocol. Most up-to-date websites don’t use SSL at all, having moved to TLS (Transport Layer Security) IIS v7. An older version of Microsoft Internet Information Services NSS 3.13. Network Security Services, a widely used cryptographic library The DROWN vulnerability is described on the dedicated website, The DROWN Attack. It stands for Decrypting RSA with Obsolete and Weakened eNcryption, and makes vulnerable websites susceptible to man-in-the-middle attacks. DROWN is unusual in that it does not require a site to actively use SSLv2 or other vulnerable protocols. A site is vulnerable if it supports one of the vulnerable protocols or shares a private key with [ more… ]
