AnsweredAssumed Answered

QID 38628 - Server Supports TLS 1 Severity 3

Question asked by QM_SSJ4 on Jul 11, 2016
Latest reply on Jul 27, 2016 by QM_SSJ4

I noticed this morning after my external scans report ran that Qualys now flags TLS 1.0 support as a Severity 3 vulnerability. Digging a little deeper the details reference PCI DSS requirements which originally mandated 7-1-2016 as the migration deadline but was later pushed back 7-1-2018. Curious as to why Qualys decided to maintain the original date to elevate this QID? I also checked SSL Labs and do not see a similar penalty being enforced on that side of the house.

 

A little more detail than just referencing a standard, the actual risk with TLS 1 being support of known vulnerable ciphers CBC & RC4 which happen to shared with SSLv3. I agree with the vulnerable ciphers but they already have their own QID. Also SSLv2/3 being almost completely broken received their own QID which I also agree with but are rated at the same severity as the new TLS 1.0 QID...seems a bit off.

 

Perhaps this QID was meant to be elevated later to match the PCI standard or at the very least has received a questionable severity rating? I'd like some clarification/thoughts around why now and why it's rated the same as SSLv2/3...

Outcomes