mondoohq · chris-rock · Dec 15, 2024 · Dec 15, 2024
diff --git a/core/mondoo-tls-security.mql.yaml b/core/mondoo-tls-security.mql.yaml
@@ -4,7 +4,7 @@
 policies:
   - uid: mondoo-tls-security
     name: Mondoo TLS/SSL Security
-    version: 1.4.0
+    version: 1.4.1
     license: BUSL-1.1
     tags:
       mondoo.com/category: security
@@ -31,7 +31,9 @@ policies:
         If you have any suggestions for how to improve this policy, or if you need support, [join the community](https://github.com/orgs/mondoohq/discussions) in GitHub Discussions.
     groups:
       - title: Secure TLS/SSL connection
-        filters: asset.platform == 'host'
+        filters: |
+          asset.platform == 'host'
+          tls.params != empty
         checks:
           - uid: mondoo-tls-security-ciphers-include-aead-ciphers
           - uid: mondoo-tls-security-ciphers-include-pfs
@@ -46,7 +48,9 @@ policies:
           - uid: mondoo-tls-security-no-weak-block-ciphers
           - uid: mondoo-tls-security-no-weak-tls-versions
       - title: Valid TLS/SSL certificate
-        filters: asset.platform == 'host'
+        filters: |
+          asset.platform == 'host'
+          tls.params != empty
         checks:
           - uid: mondoo-tls-security-cert-domain-name-match
           - uid: mondoo-tls-security-cert-is-valid
@@ -59,7 +63,7 @@ policies:
 queries:
   - uid: mondoo-tls-security-cert-domain-name-match
     title: Certificate's domain name must match
-    impact: 80
+    impact: 90
     docs:
       desc: | 
         The domain name in an SSL/TLS certificate must match the hostname it is intended to secure. Mismatched certificates indicate potential misconfigurations or malicious activity. This can lead to user trust issues and browser warnings, causing service interruptions or loss of user confidence.
@@ -81,6 +85,7 @@ queries:
 
   - uid: mondoo-tls-security-cert-is-valid
     title: Certificate is valid
+    impact: 95
     docs:
       desc: |
         Verifies that the SSL/TLS certificate is valid, has not expired, and is trusted by well-known Certificate Authorities (CAs). Ensures that expired or self-signed certificates are flagged.
@@ -94,7 +99,7 @@ queries:
       }
   - uid: mondoo-tls-security-cert-no-cert-expired
     title: Certificate is not near expiration or expired
-    impact: 85
+    impact: 95
     docs:
       desc: |
         Certificates nearing expiration or expired can lead to service interruptions and browser security warnings. This can affect user trust and potentially allow MITM attacks if not addressed promptly.   
@@ -124,7 +129,7 @@ queries:
       }
   - uid: mondoo-tls-security-cert-not-self-signed
     title: Do not use a self-signed certificate
-    impact: 100
+    impact: 85
     docs:
       desc: |
         Self-signed certificates are not trusted by default in browsers or operating systems. They lack authentication from a trusted CA, exposing the service to MITM attacks and reducing user trust.
@@ -134,7 +139,7 @@ queries:
       tls.certificates.last.isCA
   - uid: mondoo-tls-security-cert-not-revoked
     title: Do not use revoked certificates
-    impact: 95
+    impact: 100
     docs:
       desc: |
         Revoked certificates are flagged as compromised or untrustworthy by the CA. Continuing to use them exposes the service to significant security risks and compliance violations.
@@ -200,7 +205,7 @@ queries:
       tls.ciphers.none( /export/i )
   - uid: mondoo-tls-security-no-diffie-hellman-cipher-suites
     title: Avoid anonymous Diffie-Hellman suites
-    impact: 90
+    impact: 95
     docs:
       desc: |
         Anonymous Diffie-Hellman suites lack authentication, allowing attackers to impersonate the server or client. This can lead to man-in-the-middle (MITM) attacks and data compromise.
@@ -246,7 +251,7 @@ queries:
     mql: tls.ciphers.none( /^old/i )
   - uid: mondoo-tls-security-ciphers-include-aead-ciphers
     title: Preferred ciphers must include AEAD ciphers
-    impact: 90
+    impact: 85
     docs:
       desc: |
         AEAD (Authenticated Encryption with Associated Data) ciphers provide both confidentiality and integrity protection, making them a critical component of modern secure communication protocols.
@@ -264,7 +269,7 @@ queries:
     mql: tls.ciphers.any( /ecdhe_(rsa|ecdsa)|dhe_(rsa|dss)|cecpq/i )
   - uid: mondoo-tls-security-mitigate-beast
     title: Mitigate BEAST attacks on the server-side
-    impact: 85
+    impact: 70
     docs:
       desc: |
         BEAST attacks exploit vulnerabilities in SSL/TLS protocols using CBC encryption. This allows attackers to decrypt sensitive data by manipulating block boundaries.