Tuesday 15 December 2015

More PCIDSS fun

It was time for my quarterly security check for the PCI DSS. So I set up the scan.

Several hours later (it usually takes under an hour) the result came back: FAIL!

Urghh. This means work for me. The problem was the version of OpenSSL that I was using, it was 1.0.2.d and a recently discovered vulnerability meant that I should be using 1.0.2.e

This keeps happening. Pretty much every time I do my quarterly scan, another vulnerability has been found in OpenSSL, and I have to get the most recent version, download it, compile it, rebuild my copy of Apache (the web server) and reinstall it.

It passed the retest, hurrah!

Now think of this.

1. 80% of companies are not PCI DSS compliant. Of those that are, each time a new OpenSSL vulnerability is discovered, there's a window during which most web sites using OpenSSL are vulnerable.

2. Why are there so many holes in OpenSSL, a program that is key to the security of a truly vast number of web sites?

3. When I interrogate Paypal and look at the header, the first think I see is "X-Recruiting: "If you are reading this, maybe you should be working at PayPal instead! Check out" which is really funny! I also see this: "Server: Apache".

4. When I look at my server, I see: "Server: Apache/2.4.16 (Unix) OpenSSL/1.0.2e". Maybe I should tighten that up and be more like Paypal? Is there any good reason why I should let the world know what version of Apache and OpenSSL I'm using? So I edited the Apache config file, and added "ServerTokens ProductOnly", and now my server responds with "Server: Apache".

And now I'm retesting the server, to be sure that the PCI DSS tester is OK with that.

There's another open source SSL implementation, LibreSSL, but it's only been around for a year or so, I think I'll wait and see.

And, by the way, governments are asking for there to be backdoors in encryption systems.

I boggle.

No comments:

Post a Comment