Friday 11 May 2012

Fun with servers part two

Well, after 13 hours, the scan still hadn't completed, so I contacted them the next morning. It turns out that they had a problem at their end. I guess their server was down.

So I started the scan again, and ... it worked, but my server failed the test. There was a great wailing and gnashing of teeth, and then I did more research in the BEAST vulnerability. And I came up with a different configuration to handle the BEAST (and also handle another problem that changing servers had thrown up, the TRACE vulnerability, but that's easy to handle). And that didn't work. And I did a lot more research and thinking, and now I think I really understand the issue, but my third try didn't work either.

At that point, I was feeling really bad about this. I've spent two days, mostly on this one problem, and still no solution.

So I trawled round the internet again, and I came up with a wonderful discovery - there's a web site that will test your Secure Server for vulnerabilities, free of charge, use it as much as you like. I say wonderful, because one of the problems I was wrestling with, is that I pay for these tests, and I only have ten to use, with four servers to test. So I can afford just five failing tests on my secure server and then things get tight. And also, each test was taking an hour or two (because they only do a full server test). The site I found did it in half a minute!


And the second break I got, was I noticed what I was doing wrong - I'd done the change in Apache globally, but not in the virtual server that was the Secure Server. So I fixed that, tried it out with ssllabs, and it worked! Let joy be unconfined. Calloo, callay.

So I was able to get my Secure Server properly certified. And, before I had a chance to do the other servers (which I was almost sure would pass, since I've got the Secure Server through), Ann came to me and said "Can we do the online tax now?" which I fancied doing about as much as I do having a long blunt needle stuck into my right thigh (which will be happening on the 17th). But I knoew that if I shirked this, she'd be unhappy, so I did it.

A couple of hours later, the online tax was done (they don't make it easy unless everything in perfectly standard, which it rarely is), and I could get back do PCI DSS certification, and as I thought, the other three passed easily.

So then I got a communication from someone in the industry. Apparently, the major banks are refusing to deal with the BEAST. They're leaving ciphers in place which can be cracked by the BEAST, and hoping that it doesn't actually happen, wihch it probably won't. But it's an interesting situation where the big credit card processors are deliberately refusing to pass the Payment Card Industry Data Security Standard.

Which brings me back to what I said in my previous blog. Security theater.

 ... so I tested the server run by Barclays. "This server is vulnerable to MITM attacks because it supports insecure renegotiation"

No comments:

Post a Comment