Today a warning, dedicated to Windows HomeServer users. It seems, that many subdomains hosted under Microsoft’s homeserver.com domain are vulnerable via Drown attacks.
Last week a vulnerability of TLS protocol has been uncovered – arstechnica has written here about that topic. A brief description may be found here – and drownattack.com contains a few more details. Users hosting a website or running a webserver may use https://test.drownattack.com to test the vulnerability. Yesterday I ‘ve blogged about Drown and German incident within my German blog (Erste Opfer der Drown-Sicherheitslücke: Server4You-Kunden). A few hour later I received a short e-mail from a blog-reader, informing me, to have a look at Microsoft’s homeserver.com domain.
The screenshot shown above reveals a list of sub-domains, hosted at homeserver.com (from Windows Home Server users) and using https are vulnerable for Drown attacks. Also some sub-domains are vulnerable for eavesdropping attacks and exporting SSLv2 ciphers.
Browser like Google Chrome, Firefox and Internet Explorers are issuing a big warning, that the sites are not safe. Perhaps Microsoft should send a warning to all users with a sub-domain at homeserver.com.