DROWNing in bad crypto

If you are still running SSL to “protect” your website at all, you need to shut it off. Yes, really.

If you have some kind of load balancer in front of your server, disable SSL on that also.

Using SSL on a mailserver? Kill it there too.

SSL is seriously broken (see: CRIME, BEAST, BREACH, FREAK, and now DROWN). It does not protect data, though it may appear to.

If you want to keep data safe configure your system to use TLS only, enable HSTS, and accept only strong cipher suites. Sound complicated? It’s really not.

Here are some configuration examples to get you rolling.

TL;DR:

View post on imgur.com