"This server is vulnerable to a DROWN attack. Disable the SSLv2 protocol on the server."
Researchers uncovered the DROWN vulnerability in SSL v2. DROWN stands for Decrypting RSA with Obsolete and Weakened eNcryption. It affects HTTPS and other services that rely on SSL and TLS protocols.
Attackers can use the DROWN vulnerability to break the encryption used to protect your sensitive data from prying eyes. If the encryption is broken, attackers can read or steal your sensitive communications (e.g., passwords, financial data, and emails). In some situations, attackers may also be able to impersonate trusted websites.
Although the SSL 2.0 protocol was disavowed in 1996 due to known security flaws, some servers are still using it. Well-known vulnerabilities/security flaws are:
Disable SSL 2.0 on servers or services that still support SSL v2.
For OpenSSL, the easiest solution is to upgrade to recently released versions of OpenSSL.
If you're still using one of the older (no longer supported) versions of OpenSSL, upgrade to a supported newer version.
If you're using IIS 7 or newer, SSL v2 is disabled by default. If you manually enabled support for SSL v2, go back and disable it. If you are running an older (no longer supported) version of IIS, then upgrade to IIS version 7 or newer.
If you are using NSS 3.13 or newer, SSL v2 is disabled by default. If you manually enabled support for SSL v2, you need to go back and disable it. If you are using an older version of NSS, upgrade to NSS 3.13 or newer.
If your servers support SSL v2, disable support for it.
DigiCert is the world's leading provider of scalable TLS/SSL, IoT and PKI solutions for identity and encryption. The most innovative companies, including 89% of the Fortune 500 and 97 of the 100 top global banks, choose DigiCert for its expertise in identity and encryption for web servers and Internet of Things devices. DigiCert supports TLS and other digital certificates for PKI deployments at any scale through its certificate lifecycle management solution, CertCentral®. The company is recognized for its enterprise-grade certificate management platform, fast and knowledgeable customer support, and market-leading security solutions. For the latest DigiCert news and updates, visit digicert.com or follow @digicert.
©2020 DigiCert, Inc. All rights reserved. DigiCert, its logo and CertCentral are registered trademarks of DigiCert, Inc. Norton and the Checkmark Logo are trademarks of NortonLifeLock Inc. used under license. Other names may be trademarks of their respective owners.