Bug 368929

Summary: SSL certificate *.kde.org is vulnerable to DROWN attack
Product: [Websites] www.kde.org Reporter: Thomas Bettler <thomas.bettler>
Component: generalAssignee: kde-www mailing-list <kde-www>
Status: RESOLVED FIXED    
Severity: normal CC: aacid, bcooksley, rich
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: unspecified   
OS: All   
URL: https://www.ssllabs.com/ssltest/analyze.html?d=kde.org&s=91.189.93.5#drownTable
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Thomas Bettler 2016-09-16 21:51:02 UTC 
According to https://test.drownattack.com/?site=212.110.188.12 developer.kde.org provides mail services via SSLv2 using the same SSL certificate as kde.org does.

These servers reusing the same RSA keys render the SSL encryption vulnerable to the DROWN attack. https://drownattack.com/drown-attack-paper.pdf

Reproducible: Always


Actual Results:  
see https://www.ssllabs.com/ssltest/analyze.html?d=kde.org&s=91.189.93.5#drownTable

Expected Results:  
no vulnerability
Comment 1 Albert Astals Cid 2016-09-28 18:20:18 UTC 
I guess you should use http://sysadmin.kde.org/tickets/ so that system administrator actually see this. I'll add some people here just in case though.
Comment 2 Ben Cooksley 2016-10-17 09:28:26 UTC 
We're in the process of replacing this certificate now, so I consider this issue resolved (or soon to be resolved).