DROWN security threat: Difference between revisions
m (→2. Disable SSL V3 (Model 204 7.5 and higher): add word) |
m (wordsmithing and new link) |
||
(One intermediate revision by the same user not shown) | |||
Line 3: | Line 3: | ||
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSL V2 server that uses the same private key. | DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSL V2 server that uses the same private key. | ||
As stated in the detailed recommendations below, under Model 204 7.5 and later, | As stated in the detailed recommendations below, under Model 204 7.5 and later, SSL V2 support is disabled. The best solution to the DROWN attack is to upgrade to the latest release, Model 204 7.6. | ||
==Recommendations== | ==Recommendations== | ||
The DROWN threat exploits a security vulnerability of SSL ports that use SSL V2. | The DROWN threat exploits a security vulnerability of SSL ports that use SSL V2. Based on the known characteristics of the DROWN attack and test results, the Rocket M204 security team has the following recommendations: | ||
===1. Disable SSL V2 (Model 204 7.4 and lower)=== | ===1. Disable SSL V2 (Model 204 7.4 and lower)=== | ||
Line 13: | Line 13: | ||
<li>On an older version of Model 204, set the Janus port parameter <var>[[SSLPROT (JANUS DEFINE parameter)|SSLPROT]]</var> to X'1E' on all Janus SSL ports. This disables SSL V2. The <var>SSLPROT</var> default for these versions is X'07'. </li> | <li>On an older version of Model 204, set the Janus port parameter <var>[[SSLPROT (JANUS DEFINE parameter)|SSLPROT]]</var> to X'1E' on all Janus SSL ports. This disables SSL V2. The <var>SSLPROT</var> default for these versions is X'07'. </li> | ||
<p> | |||
You can issue a <code>[[JANUS DISPLAY]]</code> command to view the <var>JANUS DEFINE</var> parameters explicitly defined for Janus ports for your Model 204 Online. </p> | |||
<p> | <p> | ||
It is also strongly recommended that you upgrade to Model 204 7.6 as soon as possible. </p></li> | It is also strongly recommended that you upgrade to Model 204 7.6 as soon as possible. </p></li> | ||
Line 19: | Line 21: | ||
</ul> | </ul> | ||
===2. Disable SSL V3 (Model 204 | ===2. Disable SSL V3 (all Model 204 versions)=== | ||
While SSL V3 is not considered a major security exposure, Rocket Technical Support recommends also disabling SSL V3. | While SSL V3 is not considered a major security exposure, Rocket Technical Support recommends also disabling SSL V3. | ||
Latest revision as of 19:46, 28 March 2016
Janus Network Security customers should be aware of a security threat known as the "DROWN attack" (https://drownattack.com/). The DROWN threat exploits a security vulnerability of network SSL ports that use SSL V2.
DROWN (Decrypting RSA with Obsolete and Weakened eNcryption) allows an attacker to decrypt intercepted TLS connections by making specially crafted connections to an SSL V2 server that uses the same private key.
As stated in the detailed recommendations below, under Model 204 7.5 and later, SSL V2 support is disabled. The best solution to the DROWN attack is to upgrade to the latest release, Model 204 7.6.
Recommendations
The DROWN threat exploits a security vulnerability of SSL ports that use SSL V2. Based on the known characteristics of the DROWN attack and test results, the Rocket M204 security team has the following recommendations:
1. Disable SSL V2 (Model 204 7.4 and lower)
- On Model 204 7.5 and later, SSL V2 support is already disabled.
- On an older version of Model 204, set the Janus port parameter SSLPROT to X'1E' on all Janus SSL ports. This disables SSL V2. The SSLPROT default for these versions is X'07'.
- Make sure that Janus ports do not share certificates with any other ports that support SSL V2. Even ports that do not support SSL V2 are vulnerable to the DROWN attack if they share certificates with ports that do.
You can issue a JANUS DISPLAY
command to view the JANUS DEFINE parameters explicitly defined for Janus ports for your Model 204 Online.
It is also strongly recommended that you upgrade to Model 204 7.6 as soon as possible.
2. Disable SSL V3 (all Model 204 versions)
While SSL V3 is not considered a major security exposure, Rocket Technical Support recommends also disabling SSL V3.
To do this, specify one of the following settings on all Janus SSL ports:
- Recommended, if possible in your environment: Set SSLPROT X'10', which only allows TLS 1.2. (The drawback to this approach is that quite a few SSL clients still do not support TLS 1.2.)
- Next best alternative: Set SSLPROT X'18', which disables TLS 1.0.
- Or, set SSLPROT X'1C', which allows only TLS 1.2, 1.1, and 1.0.
The problem with SSL V3
SSL V3 has been known to be a security risk since 2014 (see Google Security Blog article).
By default, some browsers may not support SSL V3. Currently, when using the FireFox browser, if your connection requires SSL V3, you may get an error like the following:
The discussion of this error is found on the Mozilla support pages.
After SSL V3 is disabled
If an application needs SSL V3 and a Janus port has disabled it, Model 204 will reject the connection and return the following error to the browser:
MSIR.0573 SSL client trying to use unsupported protocol: protocol
The message means that a client (probably a web browser) tried to connect to an SSL port, but it tried to use an SSL protocol that is explicitly blocked by the SSLPROT parameter in the JANUS DEFINE command.
See also
For more technical information about the DROWN attack, see: https://drownattack.com/drown-attack-paper.pdf
If you have further questions about this DROWN issue, contact Rocket Technical Support at Support@RocketSoftware.com.