We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on v1 candidate and expect to engage more with the community over the coming months. We are committed to open source, and we encourage contributors to help us build the future of Vesta.
I got "The BEAST attack is not mitigated on this server" warning
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
I got "The BEAST attack is not mitigated on this server" warning
Today when I tried to verifing my SSL certificate at :
https://cryptoreport.websecurity.symantec.com/checker/
After I enter my domain ( www.joomlagate.com ) and hit the "Check" button, I saw a warning message among those results:
Thank you.
https://cryptoreport.websecurity.symantec.com/checker/
After I enter my domain ( www.joomlagate.com ) and hit the "Check" button, I saw a warning message among those results:
Does this mean that my VestaCP is not safe? How to fix this?Warnings
BEAST
The BEAST attack is not mitigated on this server.
Thank you.
Re: I got "The BEAST attack is not mitigated on this server" warning
beast it's man in middle attack and this checker not goodShort for Browser Exploit Against SSL/TLS, SSL Beast is an exploit first, revealed in late September 2011, that leverages weaknesses in cipher block chaining (CBC) to exploit the Secure Sockets Layer (SSL) protocol. The CBC vulnerability can enable man-in-the-middle (MITM) attacks against SSL in order to silently decrypt and obtain authentication tokens, providing hackers with access to the data passed between a Web server and the Web browser accessing the server.
While SSL BEAST attacks affect only the Transport Layer Security (TLS) 1.0 version of SSL and not later versions such as TLS 1.1 and 1.2, TLS 1.0 remains the overwhelmingly predominant version used by both Web servers and browsers. Following a Javascript-based demonstration of the SSL BEAST attack by researchers Juliano Rizzo and Thai Duong, developers of Google Chrome and other major Web browsers started taking steps to create workarounds for mitigating the risks of SSL BEAST attacks.
use normal ssl checker - https://www.ssllabs.com/ssltest/analyze ... com&latest
Re: I got "The BEAST attack is not mitigated on this server" warning
Use SHA2 cert first.baijianpeng wrote: Does this mean that my VestaCP is not safe? How to fix this?
Tight some SSL settings.
Re: I got "The BEAST attack is not mitigated on this server" warning
What is BEAST?
TLS 1.0 and earlier protocols suffer from a serious flaw: the Initialization Vector (IV) blocks that are used to mask data (plaintext) prior to encryption with a block cipher can be predicted by an active man-in-the-middle (MITM) attacker. IVs are used to prevent encryption from being deterministic; without them, every time you encrypt the same block of data with the same key, you get the same (encrypted) output. This is highly undesirable. A clever attacker who can 1) predict IVs, 2) see what encrypted data looks like, and 3) influence what is encrypted, is then able to make guesses about what plaintext looks like. Technically, he cannot decrypt any data, but he can find out if his guesses are right or wrong. With enough guesses, any amount of data can be uncovered.
https://community.qualys.com/blogs/secu ... l-a-threat
Do not use TSL 1
TLS 1.0 and earlier protocols suffer from a serious flaw: the Initialization Vector (IV) blocks that are used to mask data (plaintext) prior to encryption with a block cipher can be predicted by an active man-in-the-middle (MITM) attacker. IVs are used to prevent encryption from being deterministic; without them, every time you encrypt the same block of data with the same key, you get the same (encrypted) output. This is highly undesirable. A clever attacker who can 1) predict IVs, 2) see what encrypted data looks like, and 3) influence what is encrypted, is then able to make guesses about what plaintext looks like. Technically, he cannot decrypt any data, but he can find out if his guesses are right or wrong. With enough guesses, any amount of data can be uncovered.
https://community.qualys.com/blogs/secu ... l-a-threat
Do not use TSL 1
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: I got "The BEAST attack is not mitigated on this server" warning
Yes, after using the ssllabs.com checker, I noticed that :skurudo wrote: Do not use TSL 1
Then, how can I disable/turn off TLS 1.0?Protocols
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No
Thank you.
Re: I got "The BEAST attack is not mitigated on this server" warning
Use directive ssl_protocols in /etc/nginx/nginx.conf
Example:
Example:
Code: Select all
# SSL PCI Compliance
ssl_session_cache shared:SSL:50m;
ssl_buffer_size 1400;
ssl_session_timeout 24h;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers AES256+EECDH:AES256+EDH:!aNULL;
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: I got "The BEAST attack is not mitigated on this server" warning
hi, @skurudo , you gave me great help!skurudo wrote:Use directive ssl_protocols in /etc/nginx/nginx.conf
As a newbie of VestaCP and Linux, I surely need to know which file to edit.
Now I find that code and deleted "TLS 1.0" from that line.
Do I need to restart the NginX or VestaCP to make it work?
Thank you.
-
- Posts: 301
- Joined: Tue Dec 22, 2015 2:06 pm
Re: I got "The BEAST attack is not mitigated on this server" warning
Ok, I restarted NginX. Then several hours later, when I check my domain again with that SSL Checker, the result is:
Thank you.
It seems that this issue solved.BEAST attack : Mitigated server-side
Thank you.