As we all know this was worked around more than a decade ago and all browsers save an ancient Safari outlier are not vulnerable to it.
Yes, but due to the CVSS score, using CBC based ciphers in TLS 1.0 is a fail. Sure, the risks have been mitigated and they are good to use, but you can't if you want to be PCI compliant.
We all know that cipher suites can be turned on and off independent of TLS version.
Yes, but if you turn off the RC4 ciphers and turn off the CBC based ciphers in TLS 1.0, there are no TLS 1.0 browsers that have a compatible cipher. This results in TLS 1.0 browsers no longer working in such a configuration. Hence the problem here.
I would love for someone to provide a reference where in PCI a CVE scoring regime for PCI compliance is even mentioned.
Here you go - Page 22
"With a few exceptions (see the Compliance Determination—Overall and by Component section below for
details), any vulnerability with a CVSS base score of 4.0 or higher will result in a non-compliant scan, and
all such vulnerabilities must be remediated by the scan customer. "
Regardless these problems are not vulnerabilities when you turn off a broken cipher suite and implement workarounds having existed for more than a decade.
Sure, not vulnerabilities, but still a PCI fail due to the NIST CVSS scoring, which is the point here. (Bureaucracy)
I have vague memories of people trying this nonsense but it didn't last long.
Earlier this year when I was researching this, there were very many financial sites that used RC4 ciphers. They had no choice but to do this if they wanted to support TLS 1.0 browsers AND be PCI compliant.
Curse you NIST... or NASA or GEOINT or KGB or whoever for a completely broken chain of incoherent nonsense.
My personal opinion this is a CONSPIRACY.. more trivial work / check boxes for the Nessus button pushers to run while they abstract absurd amounts of cash from their victims.
Not so. I was there when this came about. In fact, I kinda seeded the notion that this had to be dealt with by fixing the CVSS scoring with the NIST. I was just frustrated with the problem and wanted to find a 'correct' fix. But it blew up as explained previously - damn you, NIST.