AnsweredAssumed Answered

Stop honoring requests to completely hide from scans

Question asked by Dave Garrett on Mar 18, 2015
Latest reply on Mar 23, 2015 by Vlad Gotom

Apparently Qualys SSL Scan can be fully opted-out from by sites to the point where the server test refuses to scan a domain. This is very sleazy. Sites should not be able to keep people from looking at publicly checkable security information. It's reasonable to request throttling of checks, possibly to as low as once a week, but silencing it altogether is just wrong. I ask that Qualys please re-evaluate this policy.

 

The specific case I hit was attempting to diagnose a connection issue from one of Citibank's domains. A major bank should not be trying to hide its security, nor should Qualys be enabling this. Checking its ciphers using the 'sslscan' command line utility (easily installed via package manager in Ubuntu) let me see that the issue was that it is RC4-only. I also managed to find a competing web service that does scan them and also shows RC4-only (though it's wrong when scanning version support, which I verified via openssl command).

 

Please fix the server test to work without volunteering to be censored.

Outcomes