If we run a Qualys scan on a server (or set of servers) that do not use HTTPS, would that come up as a vulnerability? Or just the use of weak HTTPS protocols will be shown as a vulnerability.
Here is our use case: a merchant site is on HTTP only, calling an iFrame over HTTPS. When an ASV scans the merchant’s site, would they detect HTTP as a vulnerability? Yes/no/why?