Ok, so from https://www.ssllabs.com/ssltest/analyze.html?d=teammentor.net&source=tim we can see that https://teammentor.net gets a B rating because it is vulnerable to the 'BEAST Attack' (whoohh that sounds scary :) )The link on that page points to Mitigating the BEAST attack on TLS which provides some background info on the problem, but it doesn't answer the questions I have at the moment, which are:
- What is the risk impact of this vulnerability on a site like http://teammentor.net?
- What are the exploit scenarios?
- Is there any mitigation (or not) by the use of IIS 7.0?
- How do I fix this in IIS 7.0?
- Can anything been done at the Application Layer?
In a way this is where security fails. Instead of giving me a solution, SSL Labs (which rocks btw) is giving me a problem.
Another good example of 'Security as TAX' vs 'Security as Enabler'.
We are going to have to spend resources to understand, fix, test, validate this problem (i.e. pay a TAX) with very little return
The other issue to solve is to remove SSL 2.0 support is IIS7. As per this post How to Disable SSL 2.0 in IIS 7 , it looks like it needs to be done by changing the registry. Is that the only way to do this?
Also asked this question on:
Also asked this question on:
