Announcement

**Veerappan** · 01 March 2016, 11:57 AM

I knew there was something ominous about the libssl update this morning when I updated my work laptop...

**AnonymousCoward** · 01 March 2016, 12:10 PM

What is the problem? Shouldn't be all SSL2/3 connections been disabled for years now?

**Veerappan** · 01 March 2016, 12:28 PM

Originally posted by AnonymousCoward View Post

What is the problem? Shouldn't be all SSL2/3 connections been disabled for years now?

SSL3 should be disabled because it's just plain busted, but SSL2 is still in common use in the wild for system-to-system communication, and probably in plenty of browser connections as well.

**cmr~** · 01 March 2016, 01:19 PM

Originally posted by AnonymousCoward View Post

What is the problem? Shouldn't be all SSL2/3 connections been disabled for years now?

You should read the paper or the website. It's a somewhat complex cross-protocol attack, and they demonstrate . Importantly, it applies whenever the private key material is shared, not just when the same certificate is used. Mentioned in the paper, but unfortunately not by Michael's summary, is that it affects 22% of all webservers. See the paper for details.

**carewolf** · 01 March 2016, 01:26 PM

Originally posted by Veerappan View Post

SSL3 should be disabled because it's just plain busted, but SSL2 is still in common use in the wild for system-to-system communication, and probably in plenty of browser connections as well.

No SSLv3 was broken recently and still in use in old hardware. SSLv2 was broken some 15-20 years ago, and has been deprecated and unused for just as long.

Announcement

SSLv2 "DROWN" Vulnerability Disclosed

SSLv2 "DROWN" Vulnerability Disclosed

Comment

Comment

Comment

Comment

Comment