Security Metrics refuse cPanel PCI Compliance
After a long battle with Security Metrics I felt I should share my experience. I work with a UK web host, and have been trying to help a client through their compliance testing.
Security Metrics will no longer allow ANY cPanel server to pass because services like FTP, cPanel, WHM, Webmail are all protected ONLY by the main hostname's SSL certificate and answer on the same IP address as the customer's production domain. Accessing these services via the customer's domain gets an SSL response containing the server's hostname certificate, and not the customer's website domain certificate - Which is, according to Security Metrics, a 100% failure.
The only people who would legitimately have the cpanel login details are the customer, and they are not about to log into a service when their browser or ftp client complains of a certificate mismatch. They know full well that they should log into the shared cPanel services using the server's main hostname, and not their website domain.
Security Metrics argue that this provides the environment for MiM attacks. I'm unsure that it does, provided the customer is educated and knows never to continue when a certificate mismatch is found. If they are stupid enough to do that, then they are stupid enough to fall for any attack which can misdirect their DNS to a bogus server (which may, after all, contain a perfectly valid SSL for the customer's domain obtained illicitly).
So, my view at the moment is that Security Metrics are being unreasonable in their interpretation of the PCI standards. But I digress.
There is already a feature request here for SNI to be provided on ALL services offered by cPanel servers:
SSL certificate per domain on all services
cPanel - please take note...
-
Hello :) Would instructions on how to disable access to cPanel/WHM/Webmail and forcing the use of a single URL for access to those services help as a temporarily workaround until progress is made on the feature request? Thank you. 0 -
1. have you disputed this with them and provided the alternate acceptable hostname? 2. If a customer is on their own dedicated IP address, you can close cpanel/whm ports for that IP address with custom CSF/APF syntax, and they can just access those services on the main host IP. 0 -
Hello :) Would instructions on how to disable access to cPanel/WHM/Webmail and forcing the use of a single URL for access to those services help as a temporarily workaround until progress is made on the feature request? Thank you.
Hi Michael - yes, that would be perfect, but I'm unsure how that could work, because the initial SSL connection has to be made against the customers domains name - so the ssl provider on the server would have to accomplish the rejection?0 -
. have you disputed this with them and provided the alternate acceptable hostname? 2. If a customer is on their own dedicated IP address, you can close cpanel/whm ports for that IP address with custom CSF/APF syntax, and they can just access those services on the main host IP.
Disputed until we're blue in the face - but they just dig their heels in deeper. I suppose they have a view that PCI compliance is all there is to security, and that this risk is higher than, oh, say, social engineering. Anyway - Option 2 is looking like the only option.0
Please sign in to leave a comment.
Comments
4 comments