Staying afloat: the DROWN Attack and CloudFlare

On March 1st, 2016, John Graham-Cumming announced that CloudFlare customers are automatically protected against the DROWN Attack due to their lack of SSLv2 enabled on servers. The company's SSL configuration is published for others to use and currently accepts TLS 1.0, 1.1, and 1.2. They are proactively testing customers' origin web servers for vulnerabilities and will reach out to those with vulnerable servers. In the meantime, users should ensure that SSLv2 is fully disabled or private keys are not shared with servers still needing SSLv2.