A new vulnerability affecting SSLv2 called DROWN (CVE-2016-0800) was announced this week. We are happy to announce that our security team disabled SSLv2 on all Instart Logic servers long before this vulnerability was announced. So as long as customers have SSLv2 disabled on their origin servers, they will be safe.
DROWN stands for Decrypting RSA with Obsolete and Weakened Encryption. By exploiting DROWN, an attacker can land a man-in-the-middle-style attack. It can force an RSA key exchange between a browser and a vulnerable server and then decrypt the connection.
SSLv2 is known to have other vulnerabilities, and for that reason all modern clients started using modern TLS protocols long ago. However, merely switching to a modern protocol is not enough to prevent DROWN from being exploited. In order to prevent this attack completely, SSLv2 should be disabled on all servers.
We at Instart Logic take the security of our customers seriously. While we are proactively testing our customer’s origin servers for vulnerabilities and notifying them if any are affected, our recommendation to our customers is to check all their origin servers and make sure SSLv2 has been disabled locally.
More information on the vulnerability: