Announcement

Collapse
No announcement yet.

Weak SSL Ciphers on Remote Server - Help?!

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 9
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 9 template Next
    #1

    Weak SSL Ciphers on Remote Server - Help?!

    We have a Security Test run on our website every 3 months to comply with PCI regulations. We have come up with some vulnerabilities regarding weak SSL Ciphers.

    Our website is run on a Linux Virtual Private Server, and have requested our web hosting company to fix these vulnerabilities, but they are coming back to me asking what they need to do

    This is not my field of expertise, and therefore have no idea as to what needs to be done in order to fix these issues.

    Does anyone have a clue??
    Any help would be really appreciated.

    Thanks.

    Here are the vulnerabilities listed below.



    Port 443:
    Protocol: TCP
    Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

    Protocol: TCP
    Port: 8443
    Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv2 EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export SSLv3 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}

    Protocol:TCP
    Port: 995
    Synopsis : The remote service supports the use of weak SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer either weak encryption or no encryption at all. See also : http://www.openssl.org/docs/apps/ciphers .html Solution: Reconfigure the affected application if possible to avoid use of weak ciphers. Risk Factor: Medium / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here is the list of weak SSL ciphers supported by the remote server : Low Strength Ciphers (< 56-bit key) SSLv3 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export TLSv1 EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export EXP-RC2-CBC-MD5 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
    Tags: None
    #2
    Who runs the 'security test' on your site?

    Who hosts your site?

    Comment

      #3
      Originally posted by grantglendinnin View Post
      Who runs the 'security test' on your site?
      Who hosts your site?
      Security Metrics and Dataflame (www.dataflame.co.uk) host our site.

      our site uses Plesk Control Panel, have found this

      http://www.linux-advocacy.org/web-se...-pci-compliant

      which gives a bit more indepth into making Plesk more PCI Compliant, so have sent them this link hoping they can sort it out.

      Comment

        #4
        I must be psychic, I knew I was getting that answer!

        Have a search around the forum for 'Security Metrics'.

        Comment

          #5
          Grant, a search would probably bring up about 1500 threads, mostly started by Gavin himself anyway!
          Tracey

          Comment

            #6
            Originally posted by grantglendinnin View Post
            I must be psychic, I knew I was getting that answer!

            Have a search around the forum for 'Security Metrics'. Nothing but fraudsters in their own right.
            Yeah am well aware of what the forum members think of SecurityMetrics lol.
            But it was never my idea but the MD's decision to go with these idiots from a recommendation from Barclays Bank, therefore have to grin and bear it.

            Having said that, these weak SSL Cipher vulnerabilities seems to be a common fault with making web-servers PCI Compliant, so I would say this would effect whichever security tests you went with wouldnt it?

            Besides its our web-hosting company idiots not knowing what to do to address the vulnerabilities that is the problem. I am merely trying to find out in "laymans terms" what needs to be done server end to fix these.

            Comment

              #7
              Rofl. Oh yeah, well noticed.

              Having had recalled all the previous threads on SM, you need to dump them to find success, sorry.

              Comment

                #8
                How has any actinic site in the world using SSL to download CC details, ever become PCI compliant? It's an impossibility AFAIK. Next you'll be telling me you have shared hosting too.

                V7, SSL, Security Metrics, PCI Compliant...kinell Gav, give it a break mate.

                Comment

                  #9
                  You'll never get to the bottom of this - that's how these companies make money - there will always be something else. Your MD needs educating.

                  Comment

                    #10
                    I am so tempted to reply.... but the post would be moderated.

                    Comment

                      #11
                      a recommendation from Barclays Bank, why because they are Barclays Bank, we had all sorts of crap from both companies saying we could only become compliant by using their services and at such reasonable prices, not.
                      Their pratices are like these schemes, saying you can earn £silly amounts for 2 hours work a week, but they're always on the back of a clapped out banger. Its a con and the only people signing up are mugs
                      www.parklifeclothes.co.uk

                      Parklife, Whitby

                      Diesel, Converse, Crocs, Quiksilver, Miss Sixty, Scotch & Soda, Bench, Levi's, Kickers

                      Comment

                        #12
                        Gavin have you tried to disable SSLv2 this could probably fix the problem.

                        D

                        Comment

                          #13
                          If your looking for a decent scanning company then try here (well one that will pass ) https://www.hackerguardian.com/

                          My main server passes PCI compliance but would probably fail a security metrics scan though

                          the problems with your server are more to do with the plesk control panel, there are certain problems with the mail server aswell, these can be fixed but it needs a little work.

                          Comment

                            #14
                            If you don't collect credit card details on your site (ie you use a PSP, as you should), then you can self certify for PCI purposes. Have I missed something, what is the point of this thread?

                            Aquazuro - designer stainless steel accessories

                            Comment

                              #15
                              Mark i guess that depeneds on why it is required, not everyone uses Actinic if your using another ecommerce package and process the card on you site directly(not leaving your site) but still using a psp then you will need pci compliance

                              Comment

                              Previous 1 2 3 4 9 template Next
                              Working...
                              X