Søren Aarup


Discussion created by Søren Aarup on Nov 14, 2014
Latest reply on Mar 12, 2015 by Lily Wilson

So now we are failing big-time on our PCI-scans because we are not prioritizing RC4, meaning we are beast-vulnerable.


On the Qualys blog (https://discussions.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy) it is said that: "However, the trend is clear. Over time, RC4 attacks are going to get better, and the number of users vulnerable to the BEAST attack is going to get smaller."

I am confused, the above blogpost indicates that I should downprioritize or disable RC4, as it is weak. But my scans are failing with "SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability", although it also detects the vulnerability "SSL/TLS use of weak RC4 cipher", it is not causing a fail status.whu


Qualys, why are we failing on the "SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Vulnerability"? It is an old vulnerability - why not fail if using RC4 instead, since you say RC4-attacks is the trend and BEAST-attacks are getting smaller.