A security company has recently failed our PCI compliance test on CVE-2011-3389 (BEAST attack). The tool at SSL Labs reports we are *not* vulnerable to BEAST.
The Apache options I have in place are recommended by Qualys to mitigate this attack:-
Even with this in place, we have still failed with the security company.
The security company's recommendations to fix are:-
1) Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.
2) Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.
Obviously 1) is not really an option since it would make the site inaccessible for most users but I thought prioritising RC4 above block ciphers would be enough to pass on 2).
But they seem to be saying that we should disable block ciphers entirely as opposed to prioritising RC4 above CBC as per the Qualys recommendations.
Is it valid to fail us on this? Is disabling block ciphers entirely really a requirement for PCI compliance?
I would really appreciate some feedback on this since what the security company is recommending seems to be at odds with everything I've read about this subject.
As far as I am aware, the PCI standard does not explicitly specify what "secure" means in the context of SSL, leaving it to assessors (who have a much better understanding of the environment) to make the right decision. In your case, the decision was obviously to go with 100% security and recommend disabling all CBS suites. The SSL Labs test is more forgiving, allowing for a fall-back to CBC suites for those clients that do not support RC4.
I think that, in practice, the difference between RC4 prioritization and supporting only RC4 is very small. Prompted by your question, I looked in our logs and determined that only %0.013 of SSL Labs clients did not support RC4. I would still recommend that you support CBC suites for TLS 1.1 and better.
Thanks Ivan for your reply.
I believe that the security company was using a product called McAfee Secure and it was this which demands that only RC4 ciphers are enabled for TLS 1.0.
I guess a lot more people might find themselves failing their PCI compliance tests now?
My view is this seems a little unforgiving and that allow CBC ciphers as a fall-back is reasonable given the very limited applicability of BEAST in the real world.
I found this article from Akamai quite interesting as it points out that RC4 is not a FIPS compliant protocol as FIPS considers RC4 to be insecure.
So users with FIPS compliant desktops might find themselves unable to access websites that only allow RC4.
I think this is something that anyone considering limiting their cipher suite to RC4 only should take into account.
I wonder if you can see many BlackBerry devices in your SSL logs? I can see they claim FIPS compliance so I wonder if they can't use RC4?
There is a small number of BlackBerry clients in the logs (it seems that some are using the native browser, and some Opera), and I see them supporting RC4. Perhaps FIPS compliance is a configuration setting?