« DROWN abuses SSL v2 to attack TLS | Main | SSL Labs DROWN test implementation details »

DROWN grading update

March 04, 2016

We are releasing an update to the grading criteria, version 2009l, to respond to the discovery of the DROWN attack. If a server is found to be vulnerable to DROWN it will be given an F, even though it might not support SSL v2 itself. (The nature of the DROWN vulnerability is such that servers that support SSL v2 can affect other servers, irrespective of supported protocol versions). You’ll find more information about our DROWN test here. Additionally, servers that support SSL v2 but don’t have any cipher suites configured are treated as if they had SSL v2 fully enabled.

This update also contains two fixes to our grading code, which we don’t consider to be changes to our grading criteria:

  • Servers that have invalid HPKP information are not awarded A+.
  • Servers that have an RSA key with exponent 1 are given an F.
MY BOOK: If you like this blog post, you will love Bulletproof SSL and TLS. For system administrators, developers, and IT security professionals, this book provides a comprehensive coverage of the ever-changing field of SSL/TLS and Internet PKI and will teach you everything you need to know to protect your systems from eavesdropping and impersonation attacks. It's available now.