New SSL vulnerability - Drown Attack

[Chiefcrowe]

More info and check if your site is vulnerable:

https://drownattack.com

 

[TheRyuu]

There was some talk about how simply disabling SSLv2 ciphers wasn't enough because OpenSSL in all of its glorious wisdom would still allow them if forced. You have to make sure to disable the SSLv2 protocol and not just the ciphers. That should make it safe until you can update.

Some linux distributions have already been shipping OpenSSL with SSLv2 disabled because of previous issues with it so they shouldn't be at risk (pretty sure Debian is one of those but not 100% sure on it).

 

[John Connor]

Well, that site only queries a database for the site you enter in the search box. It doesn't do a live real time scan. So I would have to use the client because their server more than likely wouldn't be able to scan my websites with me blocking certain things and many hosting providers like Rackspace, Digital Ocean, Amazon AWS, etc, etc.

But now that I think of it, I do recall seeing a CSS SSL something or other scan bot in my server logs a few times that got a 403.
If anyone wants to test for other vulnerabilities, check this site out. https://www.ssllabs.com/ssltest/