Hacker Read

poutine | karma 1268 | avg karma 3.62 · 2013-03-17 17:08:17+00:00

BEAST causes PCI scan failures from the major scanning vendors. Therefore it's a significant practical issue for any site taking credit cards.

Try the https://www.ssllabs.com/ssltest/index.html scan and you'll see what it thinks of your SSL setup. With BEAST vulnerability you get non compliance.

reply

gingerlime | karma 3093 | avg karma 2.11 · 2013-03-17 13:34:04

Yes, I know, but it seems a little bit misguided / misleading, particularly since the BEAST in particular was pretty much mitigated in most browsers (see the link I posted + other links I posted below).

poutine | karma 1268 | avg karma 3.62 · 2013-03-17 21:15:15+00:00

Agreed. Not defending pci. Nevertheless some qsa is going to get their panties in a twist if their scanning tool goes red.

_phred | karma 262 | avg karma 3.12 · 2013-03-17 18:47:57+00:00

So as a sort-of-amusing counterpoint to this article, I know at least one ASV who insists that the only way to mitigate BEAST is to disable all ciphers but RC4. Still scratching my head on that one.

That tool you posted is great, hugely helpful for anyone who has to deal with this stuff.

reply

tptacek | karma 394296 | avg karma 6.04 · 2013-03-17 13:53:17

This is a pretty good illustration of why professional appsec people don't like PCI.