C410 A2BE CB73 EF77 746E 9682 E2C4 91CE D20D 800F

We would like to bring to your attention the latest SSL/TLS vulnerability known as the DROWN (Decrypting RSA using Obsolete and Weakened eNcryption) attack1. Although there is much hype around such vulnerabilities it is rated as important and seems serious enough for us to send out this alert particularly as the tester identifies weak SSL configurations / vulnerable library versions which may be subject to other vulnerabilities.

For more information


Test your site(s) here and mitigate if vulnerable:

Generally mitigation involves disabling support for SSLv2 and possibly updating SSL libraries (e.g. OpenSSL). Shared keys/certificates with a vulnerable server also presents risk. For more specific directions please consult your specific OS reference (e.g.2).

Further reading


1CVE-2016-0800: Vulnerability Summary

2Red Hat: DROWN – Cross-protocol attack on TLS using SSLv2