I just spent two effortful days getting my Secure Server to pass the PCI DSS. The big problem is the BEAST vulnerability. And it's a corker. What you have to do to get your certification, is disable most of the strong crypto that you accept, and only accept some of the weaker ones (a bit of research on the web will give you that info).
Having done that, and gotten my certification renewed, my QA told me that some of the big banks haven't passed the PCI DSS tests. So, naturally, I did my own test. The site I tested (and it's a biggie) seems to be vulnerable to MITM attacks. So here's a freebie to any journos reading this list. Choose a few banks, give their Secure Server domain name to a PCI DSS testing facility, and see if they pass the standard test. But only do that if it's legal to do so in the place where you live. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.