0

If a server supports

|   SSLv3: No supported ciphers found
|   TLSv1.0: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|     compressors: 
|       NULL
|   TLSv1.2: 
|     ciphers: 
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors: 
|       NULL

Qualys ssl test gets A and it does not say it is vulnerable to beast attack, however CBC and TLS1.0 if I know if correctly should make it beast attackable.

Either my understanding is wrong or ssltest on ssllabs isn't reporting it.

Greenonline
  • 204
  • 2
  • 4
  • 14
jmj
  • 197
  • 3
  • 10
  • 2
    The BEAST attack is mitigated client side by the 1/n-1 split in mainstream modern browsers. Mitigating it server-side is no longer typically considered to be necessary. – Xander Jun 26 '15 at 21:29
  • And in particular SSLLabs test dropped the BEAST penalty in fall 2013: https://community.qualys.com/blogs/securitylabs/2013/09/10/is-beast-still-a-threat also https://community.qualys.com/blogs/securitylabs/2013/10/31/apple-enabled-beast-mitigations-in-os-x-109-mavericks . – dave_thompson_085 Jun 27 '15 at 05:34

1 Answers1

2

SSL Labs no longer penalizes this

In a blog post dated 2013-09-10 SSL Labs project lead Ivan Ristic said:

Yesterday I changed the SSL Labs rating criteria to stop penalizing sites that do not implement server-side mitigations for the BEAST attack. That means that we now consider this attack sufficiently mitigated client-side, [...]

Details/Timeline

  • 2011-08-23 BEAST is revealed
  • 2013-02-07, SSL Labs: Vulnerability to the BEAST attack caps the grade at B.
  • 2013-09-09, SSL Labs: Grade cap is removed.

SSL Labs version history is taken from their SSL Server Rating Guide PDF.

Community
  • 1
StackzOfZtuff
  • 17,783
  • 1
  • 50
  • 86