There seems to have been little (if any) coverage of this on usenet, in particular, no press releases or faq updates on any of the usenet servers. There are sites that will test if the 'fix' has been applied, but it appears that they don't fully work.

I ran into this the other day while testing out my account at Blocknews, where SSL wouldn't work with any of my usual usenet PD software (sabnzb et. al.). They all work at Giganews, which HAS updated, according to the check sites (but no faq changes or press release to denote that, just a couple of blog entries.

My guess, is that just like typical programmers who believe they can 'do no wrong', they simply updated their s/w and blithely went on about their business without actually checking that it 'worked'. There are, apparently, some usenet apps out there that won't work with the 'fixes'.

Hi Beck..Yes, SSL was updated to TLSv1.2 recently and SSLv2 removed which is what broke certain older newsreaders although you are the first to mention SabNZB wont connect..unless you are on an older version? Does Giganews still have SSLv2 with TLS active? If so, this would still allow the DROWN vulnerability yet still allow older newsreaders to work since they would not be forced to TLSv1.2. To be honest, I dont know if sites like https://drownattack.com/#check can check accurately or not since NNTPS is being run instead of HTTPS which is what it is looking for. Maybe it would throw false positives? I dont really know.

That 'DROWN' detector site does report that Giganews has been 'patched', and there are GN 'Blog' entries that 'confirm' it, but no actual GN OPNS folks that responded to them and verified that they had. Again, no press release or any other thumbs up/down on their site; or indeed, any other.

I ran several other usenet server sites through that detector site, and got no response on any of them. I'm going through a few of them, trying to find any site that has given their users a 'heads up', and so far.... nada.

If it wasn't for some of the tech sites having articles on this problem, I'd have never known it existed...

I ran several other usenet server sites through that detector site, and got no response on any of them.


I believe that test site, like many others, hard codes the port into the test, most likely 443. You would need to find a test service that allows you to specify a custom port, hopefully 563.