It's time to do my quarterly PCI DSS check. And it came back FAIL! Rats. I'm going to have to do something.
The problem is, people keep finding vulnerabilities in encryption systems. Already the venerable SSL2 and SSL3 is a no-no. Now TLS 1.0 is anathema, and we can only use TLS 1.1 and 1.2. Well, it's easy for me to tell my Secure Server not to accept the abhorrent ones. So, if you're using Apache:
SSLProtocol all -SSLv2 -SSLv3 -TLSv1
More recently (at the end of 2016) a new thing called Sweet32 (vulnerabilities all have cute names now, like CRIME, FUBAR and POODLE) has been discovered, which makes any use of DES unacceptable. DES (data encryption standard) used to be the gold standard for crypto; triple-DES triply so. But now it's an abomination unto the industry. So, if you're using Apache:
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS
And let's hope that all the browsers out there know these more recent ciphers, because if they don't, they won't be able to use my Secure Server.
I did a test with the Qualsys tester, and I got an A rating. Same as Amazon and Google, so I'm happy.
Don't want to worry you, but I got an A rating on my website and it isn't even secure!!
ReplyDeleteAll I want is PCIDSS certification and a Qualsys A rating.
ReplyDeleteWhy do you think your site isn't secure?