Bug 368929 - SSL certificate *.kde.org is vulnerable to DROWN attack
Summary: SSL certificate *.kde.org is vulnerable to DROWN attack
Status: RESOLVED FIXED
Alias: None
Product: www.kde.org
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Platform: unspecified All
: NOR normal (vote)
Target Milestone: ---
Assignee: kde-www mailing-list
URL: https://www.ssllabs.com/ssltest/analy...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-16 21:51 UTC by Thomas Bettler
Modified: 2016-10-17 09:28 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bettler 2016-09-16 21:51:02 UTC
According to https://test.drownattack.com/?site=212.110.188.12 developer.kde.org provides mail services via SSLv2 using the same SSL certificate as kde.org does.

These servers reusing the same RSA keys render the SSL encryption vulnerable to the DROWN attack. https://drownattack.com/drown-attack-paper.pdf

Reproducible: Always


Actual Results:  
see https://www.ssllabs.com/ssltest/analyze.html?d=kde.org&s=91.189.93.5#drownTable

Expected Results:  
no vulnerability
Comment 1 Albert Astals Cid 2016-09-28 18:20:18 UTC
I guess you should use http://sysadmin.kde.org/tickets/ so that system administrator actually see this. I'll add some people here just in case though.
Comment 2 Ben Cooksley 2016-10-17 09:28:26 UTC
We're in the process of replacing this certificate now, so I consider this issue resolved (or soon to be resolved).