upvote

points

by kstrauser7 hours ago |
comments
upvoteby akerl_7 hours ago|
next
[-]
> Bullshit past findings were things like “your VPN server supports old encryption algorithms”. “But our clients don’t support them. They select the newer algorithms!”

Given that downgrade attacks are a massive category of attacks for network protocols, and in fact modern protocols go to great lengths to make them impossible, that doesn’t sound very bullshit at all.

reply
upvoteby CodesInChaos2 hours ago|
parent|
next
[-]
The whole VPN requirement sounds like bullshit to me. The terminal should use secure TLS connections to the servers it communicates with, without relying on the security of the (local) network at all.
reply
upvoteby akerl_1 hours ago|
parent|
next
[-]
Last I checked, a VPN isn’t required by PCI (or really any other compliance regime). The parent commenter’s infrastructure had a VPN. And once you have a VPN and you’re showing it to the auditors as part of your in-scope infra for PCI, asking you to remediate findings for insecure algorithms allowed in the server config is rational.
reply
upvoteby kstrauser57 minutes ago|
parent|
[-]
Eh, not really. The VPN was on the same router that gave the card scanner access to phone home to the credit card company. They weren’t related at all. You couldn’t connect to the scanner’s LAN through the VPN. But since they had the same public IP, the vuln scanner counted them as in scope.

But in reality, why’s that a problem? Is the credit card scanner so tacitly busted that it can’t coexist with other hosts? Does it not use TLS? Doesn’t it pin TLS certs so that it’s not subject to MITM? Is it listening on ports with vulnerable services? There’s no excuse for the scanner being that delicate. It should be able to service an office LAN. And yet, the PCI-DSS group managed to push the responsibility for their hardware onto the network owners rather than making their own hardware robust. That’s nuts.

reply
upvoteby kstrauser1 hours ago|
parent|
prev|
[-]
It wasn’t a requirement. They have a VPN server for remote access. The network scan found it and complained even though it’s not related.
reply
upvoteby kstrauser7 hours ago|
parent|
prev|
[-]
If a client doesn’t support an algorithm, you can’t force a downgrade to it. A compensating control is that the clients are managed and only support the newest algorithms, and aren’t vulnerable to a downgrade attack.

Context is everything. Here, the context is that within this scan environment, it was, in fact, a bullshit finding.

reply
upvoteby unethical_ban4 hours ago|
prev|
[-]
Why doesn't every bar with a POS system need a separate vlan for their register?
reply
upvoteby bob10294 hours ago|
parent|
[-]
If you process < 20k online transactions per year you can skip a lot of the requirements.
reply