Recently, Ivan Ristic, the author of SSL Labs test at Qualys published a blog post on the changes that are being to their grading system. Salient amongst them were these points:
- Servers that support SSL 3 are now capped at B (C if vulnerable to POODLE).
- Grade F given to servers that support only SSL 3.
- Servers that support RC4 are capped at B.
- Incomplete certificate chains capped at B.
- A+ servers are now expected to support TLS_FALLBACK_SCSV and have a SHA2 certificate chain.
The immediate impact of the change is any origin server allowing RC4-SHA/RC4-MD5 ciphers will be given a grade B.
To mitigate against this lower grade and a potential security loophole, the best course of action is to block RC4-SHA. For PCI preferred websites, you should prioritize AES256-SHA and AES128-SHA ciphers over TLS1.*.
Akamai Specific Mitigation
If you are serving the secure traffic over Akamai, you will need to work with your Akamai integration consultant. Depending on forward-secrecy requirements and PCI compliance, you'll have 2 options:
- PCI compliant ciphers: Ask your Akamai rep to enable only PCI Compliant ciphers.
- PFS ciphers: Akamai has pre-configured set of ciphers that supports PFS. One set is generally recommended by Akamai and another set is an experimental group. This set of ciphers may contain some ciphers that are not battle-tested. It should be used with care.
Depending on PCI or PFS requirements, ask you Akamai rep to enable the right set of ciphers.
As a best practice, the recommendation is to move away from using specific cipher names in the Akamai setting. This is to ensure that any discovered vulnerability can be quickly patched by the Akamai Engineering teams instead of examining the setup on a per-customer basis.
- Digicert PCI recommendation: https://www.digicert.com/news/DigiCert_PCI_White_Paper.pdf
- OWASP Recommendation: https://www.owasp.org/index.php/Cryptographic_Storage_Cheat_Sheet#Rule_-_Use_strong_approved_cryptographic_algorithms