Reply to post:

One-third of all HTTPS websites open to DROWN attack

LDS Silver badge

Beware that as OpenSSL itself warns, the SSLv2 server can be one "even with a different protocol such as SMTP, IMAP or POP", as long as it shares the RSA key with the TLS one.

Thereby if someone used the same cert to protect both an HTTP server and a mail server (or whatever else) connections with the same cert, all servers needs to be patched/configured to not use SSLv2, even under a downgrade attack.

"Servers" in this context is "server applications (daemon/services)" not instance, physical or virtual, of a server OS.

And because it is a protocol flaw, not an OpenSSL one, servers that doesn't use OpenSSL but another implementation of SSL, could be a vulnerability issue as well, if not properly configured.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021