SSL Cert shows that it is vulnerable to BEAST attack


#1

I checked my domain on ssl verification site at https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp?cn=gokhalemethod.com and then found that everything is right but the site shows the site is vulnerable to BEAST, do we need to do something or will cloudflare reissue the cert and fix it for us.

Also would like to know how secure it is to have these certs vs a separate cert for my domain and that uploaded to cloudflare.

Thanks,
Sadashiv.


#2

That could be because you have TLS 1.0 enabled. Go to the Cloudflare Crypto settings and set Minimum TLS version to 1.1.


#3

I changed that to TLS 1.2 and also did the same on the server nginx conf which solved the issue.

Comming back to second question, security comparison for cloudflare ssl vs my ssl uploaded or is the security level same?

Thanks for your reply

Thanks,
Sadashiv


#4

The Cloudflare SSL certificate is very secure. SSL Labs likes it:
https://www.ssllabs.com/ssltest/analyze.html?d=gokhalemethod.com&hideResults=on&latest

I can squeeze out an A+ with CAA and HSTS. I don’t know why the article below says they automatically add CAA. The SSL Labs test can’t find them. So I’ve added my own:



#5

I am sure that it gives A for all test and as per document we need to add CAA only if we use our own ssl cert. My questions is whether it’s safe to keep cloundflare SSL cert or should we implement our own, reason I am asking this is https://cryptoreport.rapidssl.com/checker/views/certCheck.jsp?cn=gokhalemethod.com show that the certs are DV and “This server uses a Domain Validated (DV) certificate. No information about the site owner has been validated. Data is protected, but exchanging personal or financial information is not recommended.”
as per the text sharing personal info is not recommended.

If this can’t be solved then may be we need to use our own ssl cert and configure CAA

Thanks,
Sadashiv.


#6

CAA stops unauthorized CAs from issuing certificates for your domain. I use Let’s Encrypt, and Cloudflare uses the other three in my example.

Their DV warning is ridiculous. No visitor is going to know the difference between an OV and a DV certificate. The communication with either type of certificate is just as secure.

That being said, I pay the $5 per month for the dedicated SSL certificate here because I don’t like it being a multi-domain certificate. I honestly hadn’t realized it was an OV certificate until I ran that rapidssl test just now.

In any case, you can’t use your own SSL certificate unless you’re on a Business or Enterprise plan. I recommend CAA for anybody who wants to lock down certificate issuance for their domain.

I believe these two steps will be your best bet:

  1. Pay that $5/month for the Cloudflare Dedicated SSL certificate. That will get rid of that DV warning.
  2. Add the CAA records from my example.

#7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.