mega may 2024 pattern
mega may - spin to win

MEGAMay’s Spin to Win* Sale is on Now – Up to 70% OFF

100% Australian Owned and OperatedSupport Centre13 24 85Pay an InvoiceLOG IN
supportcentre scaled
Support Centre
Find the answers to your questions and get the support you need with the VentraIP help centre.

SSLv2 SSLv3 TLS1.1 and PCI Compliance

What is SSLv2,  SSLv3 & TLS 1.1?

SSL (Secure Socket Layer) & TLS (Transport Layer Security) are two methods of security that sites and email use to keep your data encrypted and safe, it’s what puts the ‘s’ in https://. When you enter your password into a website not using HTTPS, that password is sent in ‘plain text’ so if anyone intercepts it, they can easily read your data. Encryption is used to keep your password and other details, like credit cards, safe.

What is PCI Compliance?

PCI or Payment Card Industry is the defacto standard used for making sure your servers are secure against data theft and malicious users. While PCI compliance is about protecting customer data and credit card payment information, the same protection can also keep your websites safe from other attacks and hackers. Being PCI Compliant is very important in keeping your data safe, and something we take seriously.

Why is SSLv2/3 & TLS1.1 not compliant?

The main reason is that they are old and very insecure, the most famous issue being an exploit named ‘POODLE‘ found by Google in 2014. SSL shown in a brief timeline:

  • 1995 – SSLv2 was created.
  • 1996 – SSLv3 was released due to security flaws in SSLv2.
  • 1999 – TLS1.0 was defined.
  • 2011 – SSLv2 was prohibited by RFC 6176.
  • 2014 – POODLE was discovered, making SSLv2/SSLv3 insecure.
  • 2015 – SSLv3 was prohibited by RFC 7568.
  • 2015 – April, PCI states that SSLv2/3 & TLS1.0 must be removed by June 2016
  • 2015 – December, PCI extends support until June 2018 given how many devices are on the legacy security.
  • 2018 – SSLv2/3 & TLS1.0 support is prohibited.
  • 2018 – MicrosoftAppleGoogle, and Mozilla  announce TLS 1.1 to be phased out by March 2020

As you can see these security measures are quite old, over 20 years in some cases. As such, it is not up to the task of keeping your data and your clients data safe.

What does this mean for me?

For most customers and users, nothing will change, only a few of our new servers had this allowed and only on select services. However as of the end of November 2018, these were modified and SSLv2/3 & TLS 1.1 has been removed from all of our new servers and services including:

  • Websites
  • Email (POP3/IMAP/SMTP)
  • FTP

Legacy hosting will be modified beginning March 2021, SSLv2/3 & TLS 1.1 will be removed to bring those servers into PCI compliance.

The main known issue that current users will find is combining Windows 7 and Outlook, this is a known issue from Microsoft and one they released a fix for. You will need to add the Key for TLS 1.0 & TLS 1.1, but set the DWORD to 0.

cPanel has also released documentation on how to apply this fix in a more friendly manner.

*We highly recommend not attempting this yourself and to seek help from an onsite support technician. This is not something we can help with.

Another known issue is with using macOS 10.11 or earlier and Mac Mail, unfortunately there is no fix released by Apple for this, you will either need to update your version of macOS or seek out alternative mail software that supports TLS 1.1 and newer.

What if I still need SSLv2/3 or TLS1.1 for my site?

To ensure the safety and security of our other customers data, and to ensure PCI compliance on the new servers, we are unable to allow these old and insecure security measures on the servers.

Is there more information on this?

There are many resources for more information on this change; including:

misc content center scaled