Skip navigation
10809 Views 4 Replies Latest reply: Jul 19, 2012 7:25 AM by Ivan Ristic RSS
Philip Wigg Lurker 3 posts since
Jul 12, 2012
Currently Being Moderated

Jul 12, 2012 3:52 AM

PCI Failure for CVE-2011-3389 (BEAST Attack)

Hi,

 

A security company has recently failed our PCI compliance test on CVE-2011-3389 (BEAST attack). The tool at SSL Labs reports we are *not* vulnerable to BEAST.

 

The Apache options I have in place are recommended by Qualys to mitigate this attack:-

 

SSLHonorCipherOrder On

SSLCipherSuite RC4-SHA:HIGH:!ADH

 

Even with this in place, we have still failed with the security company.

 

The security company's recommendations to fix are:-

 

1) Configure SSL/TLS servers to only use TLS 1.1 or TLS 1.2 if supported.

2) Configure SSL/TLS servers to only support cipher suites that do not use block ciphers. Apply patches if available.

 

Obviously 1) is not really an option since it would make the site inaccessible for most users but I thought prioritising RC4 above block ciphers would be enough to pass on 2).

 

But they seem to be saying that we should disable block ciphers entirely as opposed to prioritising RC4 above CBC as per the Qualys recommendations.

 

Is it valid to fail us on this? Is disabling block ciphers entirely really a requirement for PCI compliance?

 

I would really appreciate some feedback on this since what the security company is recommending seems to be at odds with everything I've read about this subject.

 

Regards,

Philip Wigg

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 6 points