AnsweredAssumed Answered

DROWN – Is a false positive test possible?

Question asked by Martin Klapp on Jan 16, 2018
Latest reply on Jan 16, 2018 by Bhushan Lokhande

Hey folks,

 

our site is on a shared webspace by a small hoster. When testing the site with SSLLabs we get an F because of vulnerability to the DROWN attack. With this I reached out to our hoster.

 

He confirmed that they have partially SSLv2 enabled, because some customers needed it. BUT they claim, that the SSL server test is not optimized for name based shared hosting, and shows the vulnerability as false positive. I checked some other websites that are hosted by them, and found some with a B. Additionally I run testssl with our site, which tells at the DROWN-test: "not vulnerable on this port (OK)".

 

So I'm a bit confused. Is our site vulnerable or not? Is a false positive test possible? All questions here regarding false positives proved to be errors of the questioners, but not the test itself.

 

Thanks in advance.

Outcomes