PCI DSS and BEAST

[Drsolly <drsollyp () drsolly com>]

I just spent two effortful days getting my Secure Server to pass the PCI
DSS. The big problem is the BEAST vulnerability. And it's a corker. What
you have to do to get your certification, is disable most of the strong
crypto that you accept, and only accept some of the weaker ones (a bit of
research on the web will give you that info).

Having done that, and gotten my certification renewed, my QA told me that
some of the big banks haven't passed the PCI DSS tests.

So, naturally, I did my own test. The site I tested (and it's a biggie) 
seems to be vulnerable to MITM attacks.

So here's a freebie to any journos reading this list. Choose a few banks, 
give their Secure Server domain name to a PCI DSS testing facility, and 
see if they pass the standard test.

But only do that if it's legal to do so in the place where you live.


_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.