公司作pci compliance时,涉及一系列安全改进。
我就ssl的beast攻击作了安全增强,只允许rc4级的安全认证协议,而非常规默认的cbc mode。
~~~~~~~~~~
简介如下:
as tls 1.2 was not vulnerable, it was told, when possible, to migrate to this version of the protocol, but since its adoption is still far from being common, it was suggested, as google did, to use a cipher not involving cbc mode, as for instance rc4.
the bad news is that all versions of tls (including 1.2) are vulnerable, and is not dependant on the cipher-suite adopted. furthermore, according to the few information available, the exploits uses javascript code to make the attack faster, but in theory it could work also with static html, by loading javascript into the victim’s browser from a separate site.
the good news is that, although both mozilla firefox and google chrome are vulnerable to the attack. the browser vendors have developed patches for the issue that will be released in the next few weeks.
设置很简单,就在apache的ssl模块设置里增加以下语句:
<code>sslhonorcipherorder on</code>
<code>sslciphersuite rc4-sha:high:!adh</code>
参考文档:
<a href="http://httpd.apache.org/docs/current/ssl/ssl_howto.html">http://httpd.apache.org/docs/current/ssl/ssl_howto.html</a>
<a href="http://serverfault.com/questions/415112/fixing-beast-vulnerability-on-apache-2-0-running-on-rhel-4">http://serverfault.com/questions/415112/fixing-beast-vulnerability-on-apache-2-0-running-on-rhel-4</a>
<a href="https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls">https://community.qualys.com/blogs/securitylabs/2011/10/17/mitigating-the-beast-attack-on-tls</a>