Drown: homeserver.com sub-domains are vulnerable

Today a warning, dedicated to Windows HomeServer users. It seems, that many subdomains hosted under Microsoft’s homeserver.com domain are vulnerable via Drown attacks.


Last week a vulnerability of TLS protocol has been uncovered – arstechnica has written here about that topic. A brief description may be found here – and drownattack.com contains a few more details. Users hosting a website or running a webserver may use https://test.drownattack.com to test the vulnerability. Yesterday I ‘ve blogged about Drown and German incident within my German blog (Erste Opfer der Drown-Sicherheitslücke: Server4You-Kunden). A few hour later I received a short e-mail from a blog-reader, informing me, to have a look at Microsoft’s homeserver.com domain. 

Drown Attack

The screenshot shown above reveals a list of sub-domains, hosted at homeserver.com (from Windows Home Server users) and using https are vulnerable for Drown attacks. Also some sub-domains are vulnerable for eavesdropping attacks and exporting SSLv2 ciphers.

Browser like Google Chrome, Firefox and Internet Explorers are issuing a big warning, that the sites are not safe. Perhaps Microsoft should send a warning to all users with a sub-domain at homeserver.com.



This entry was posted in Windows and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *