SSLv2 SSLv3 TLS1.0 & PCI Compliance

What is SSLv2,  SSLv3 & TLS 1.0?

SSL (Secure Socket Layer) & TLS (Transport Layer Security) are two methods of security that sites and email use to keep your data encrypted and safe, it’s what puts the ‘s’ in https://.
When you enter your password into a website not using HTTPS, that password is sent in ‘plain text’ so if anyone intercepts it, they can easily read your data. Encryption is used to keep your password and other details, like credit cards, safe.

What is PCI Compliance?

PCI or Payment Card Industry is the defacto standard used for making sure your servers are secure against data theft and malicious users. While PCI compliance is about protecting customer data and credit card payment information, the same protection can also keep your websites safe from other attacks and hackers. Being PCI Compliant is very important in keeping your data safe, and something we take seriously.

Why is SSLv2/3 & TLS1.0 not compliant?

The main reason is that they are old and very insecure, the most famous issue being an exploit named ‘POODLE‘ found by Google in 2014.
SSL shown in a brief timeline:

  • 1995 – SSLv2 was created.
  • 1996 – SSLv3 was released due to security flaws in SSLv2.
  • 1999 – TLS1.0 was defined.
  • 2011 – SSLv2 was prohibited by RFC 6176.
  • 2014 – POODLE was discovered, making SSLv2/SSLv3 insecure.
  • 2015 – SSLv3 was prohibited by RFC 7568.
  • 2015 – April, PCI states that SSLv2/3 & TLS1.0 must be removed by June 2016
  • 2015 – December, PCI extends support until June 2018 given how many devices are on the legacy security.
  • 2018 – SSLv2/3 & TLS1.0 support is prohibited.

As you can see these security measures are quite old, over 20 years in some cases. As such it is not up to the task of keeping your date and your clients data safe.

What does this mean for me?

For most customers and users, nothing will change, only a few of our new servers had this allowed and only on select services. However as of the end of June 2018, we will be removing SSLv2/3 & TLS 1.0 from all of our new servers and services including:

  • Websites
  • Email (POP3/IMAP/SMTP)
  • FTP

We will not be removing this from the old legacy hosting however, only customers on the plans ‘Starter, Freedom & Premier’ or resellers on ‘Beginner, Advanced, Professional’ will have their servers modified.

The main known issue that current users will find is combining old versions of Outlook with Windows, this is a known issue from Microsoft and one they released a fix for:
You will need to add the Key for TLS 1.1 & TLS 1.2, but set the DWORD to 0.
*We highly recommend not attempting this yourself and to seek help from onsite support technician. This is not something we can help with.

What if I still need SSLv2/3 or TLS1.0 for my site?

To ensure the safety and security of our other customers data, and to ensure PCI compliance on the new servers, we are unable to allow these old and insecure security measures on the servers. If you require these prohibited and non PCI Compliant protocols, you can contact our support team and request a downgrade to our legacy hosting servers. These servers are more than capable of hosting websites & email, however the performance of the legacy servers is quite far behind the new servers, so you will be sacrificing performance in order to keep the deprecated security.

Is there more information on this?

There are many resources for more information on this change; including:

The PCI Standards Council site:

The actual PCI Compliance standards:

Comodo’s information on removing it:

Tenable did a thorough explanation of why SSLv2/3 & TLS 1.0 are no longer compliant: