Bug 368929 - SSL certificate *.kde.org is vulnerable to DROWN attack
Summary: SSL certificate *.kde.org is vulnerable to DROWN attack
Status: RESOLVED FIXED
Alias: None
Product: www.kde.org
Classification: Websites
Component: general (other bugs)
Version First Reported In: unspecified
Platform: unspecified All
: NOR normal
Target Milestone: ---
Assignee: kde-www mailing-list
URL: https://www.ssllabs.com/ssltest/analy...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-16 21:51 UTC by Thomas Bettler
Modified: 2016-10-17 09:28 UTC (History)
3 users (show)

See Also:
Latest Commit:
Version Fixed In:
Sentry Crash Report:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Bettler 2016-09-16 21:51:02 UTC 
According to https://test.drownattack.com/?site=212.110.188.12 developer.kde.org provides mail services via SSLv2 using the same SSL certificate as kde.org does.

These servers reusing the same RSA keys render the SSL encryption vulnerable to the DROWN attack. https://drownattack.com/drown-attack-paper.pdf

Reproducible: Always


Actual Results:  
see https://www.ssllabs.com/ssltest/analyze.html?d=kde.org&s=91.189.93.5#drownTable

Expected Results:  
no vulnerability
Comment 1 Albert Astals Cid 2016-09-28 18:20:18 UTC 
I guess you should use http://sysadmin.kde.org/tickets/ so that system administrator actually see this. I'll add some people here just in case though.
Comment 2 Ben Cooksley 2016-10-17 09:28:26 UTC 
We're in the process of replacing this certificate now, so I consider this issue resolved (or soon to be resolved).