I’m being slightly disingenuous here, but it often occurs to me that there would be a very quick way to get rid of the vast majority of medium severity vulnerabilities generated by scanners… Disable HTTPs and revert everything to clear text.
At one stroke you get rid of SSLv2, SSLv3, weak ciphers, RC4, freak, beast, heartbeat, crime etc, etc. Not only that, but you free yourself up from the numerous new vulnerabilities that seem to be discovered on an almost daily basis. You don’t have to work about mixed content, or expiring certificates, or perfect forward secrecy or anything else, and as far as many scanners are concerned you exchange sundry medium rated encryption findings for one low finding ‘use of unencrypted protocol’. In fact I don’t think that Nessus even gives you the latter as a finding at all.
So as I said, I am somewhat joking, and I don’t question the value of encryption, but in my estimation too much emphasis (and severity) is being placed on more and more obscure encryption related findings which in the real world outside state sponsored activity and some very high end activities are very unlikely to actually be exploited.
So rather than wasting the customer’s time (and ours) writing up all these different encryption related findings every time, we would be better off with a generic comment “Use encryption and get your web server SSL settings up to date” and move on. I’d be prepared to bet that in the normal run of things there are many many more systems compromised by someone clicking on a dodgy link in email than ever were through any of the variants on weak encryption.
I’d also in general question why so many findings have CVSS ratings set to medium severity.