SSLv2 SSLv3 TLS1.1 and PCI Compliance
What is SSLv2, SSLv3 & TLS 1.1?
SSL (Secure Socket Layer) & TLS (Transport Layer Security) are two methods of security that sites and email use to keep your data encrypted and safe, it’s what puts the ‘s’ in https://. When you enter your password into a website not using HTTPS, that password is sent in ‘plain text’ so if anyone intercepts it, they can easily read your data. Encryption is used to keep your password and other details, like credit cards, safe.
What is PCI Compliance?
PCI or Payment Card Industry is the defacto standard used for making sure your servers are secure against data theft and malicious users. While PCI compliance is about protecting customer data and credit card payment information, the same protection can also keep your websites safe from other attacks and hackers. Being PCI Compliant is very important in keeping your data safe, and something we take seriously.
Why is SSLv2/3 & TLS1.1 not compliant?
The main reason is that they are old and very insecure, the most famous issue being an exploit named ‘POODLE‘ found by Google in 2014. SSL shown in a brief timeline:
- 1995 – SSLv2 was created.
- 1996 – SSLv3 was released due to security flaws in SSLv2.
- 1999 – TLS1.0 was defined.
- 2011 – SSLv2 was prohibited by RFC 6176.
- 2014 – POODLE was discovered, making SSLv2/SSLv3 insecure.
- 2015 – SSLv3 was prohibited by RFC 7568.
- 2015 – April, PCI states that SSLv2/3 & TLS1.0 must be removed by June 2016
- 2015 – December, PCI extends support until June 2018 given how many devices are on the legacy security.
- 2018 – SSLv2/3 & TLS1.0 support is prohibited.
- 2018 – Microsoft, Apple, Google, and Mozilla announce TLS 1.1 to be phased out by March 2020
As you can see these security measures are quite old, over 20 years in some cases. As such, it is not up to the task of keeping your data and your clients data safe.
What does this mean for me?
For most customers and users, nothing will change, only a few of our new servers had this allowed and only on select services. However as of the end of November 2018, these were modified and SSLv2/3 & TLS 1.1 has been removed from all of our new servers and services including:
- Email (POP3/IMAP/SMTP)
Legacy hosting will be modified beginning March 2021, SSLv2/3 & TLS 1.1 will be removed to bring those servers into PCI compliance.
The main known issue that current users will find is combining Windows 7 and Outlook, this is a known issue from Microsoft and one they released a fix for. You will need to add the Key for TLS 1.0 & TLS 1.1, but set the DWORD to 0.
cPanel has also released documentation on how to apply this fix in a more friendly manner.
*We highly recommend not attempting this yourself and to seek help from an onsite support technician. This is not something we can help with.
Another known issue is with using macOS 10.11 or earlier and Mac Mail, unfortunately there is no fix released by Apple for this, you will either need to update your version of macOS or seek out alternative mail software that supports TLS 1.1 and newer.
What if I still need SSLv2/3 or TLS1.1 for my site?
To ensure the safety and security of our other customers data, and to ensure PCI compliance on the new servers, we are unable to allow these old and insecure security measures on the servers.
Is there more information on this?
There are many resources for more information on this change; including: