It’s time to move away from SSL and early TLS – are you ready?

Author: Simon Fletcher

Date: 5th December 2018

In 2015, the PCI Security Standards Council announced that all organisations still using Secure Sockets Layer (SSL) or early Transport Layer Security (TLS) protocols needed to move away from these to TLSv1.2 or higher before 30th June 2018.

If you’re a merchant, or work with payment partners in any way, you’ll be well aware that SSL and early TLS are no longer seen as secure forms of encryption for organisations handling payment card data, with many serious vulnerabilities uncovered in past years.

However, even with the deadline looming, some organisations are still unsure of how best to transition from SSL and early TLS.

On paper, the steps that businesses need to take are simple – have a migration plan, implement this plan, and maintain regular testing to ensure continued compliance – but for those looking to make the move quickly, these measures can be unclear.

To help, we’ve put together a short guide with some advice on how to best make the move.

Running on Windows?

Firstly, ensure that you’re running an up-to-date operating system. Not only is this more secure, but more recent operating systems – including Windows 8 and later – support TLS 1.2 as a default.

However, many older Microsoft operating systems – including those that preceded Windows Server 2012 and Windows 8 – don’t support TLS 1.2 as a default. Therefore, to disable earlier TLS protocols, you’ll need to modify the configuration from the default setting by making changes within the registry, and then rebooting the system.

Open up the registry (RegEdit) and browse to:

Computer > HKLM > System > CurrentControlSet > Control > SecurityProviders > SCHANNEL > Protocols

In the registry set “Enabled” to equal 0 under the specific sub-key for the protocol you want to disable. For example, the following registry settings will disable SSL 3.0.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

To enable TLS 1.2 in older Windows releases you’ll need to set “Enabled” to equal 1 and set “DisabledByDefault” to 0 under the TLS 1.2 sub-key. For example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server] "Enabled"=dword:00000001 "DisabledByDefault"=dword:00000000

Running open source?

Luckily, the most frequently used open source web servers have made it easy to update your TLS settings. For Apache, Nginx, Lighttpd, HAProxy or AWS ELB Mozilla, the Mozilla SSL Configuration Generator is a useful tool to help with the secure configuration of your web server.

If you’d prefer to configure your web server manually, there are also straightforward steps that you can take to do this.

For Nginx web servers: open the Nginx configuration file for the relevant site and change the ‘ssl_protocols’ parameter to “TLSv1.2”, as in the below:
ssl_protocols TLSv1.2;
For Apache web servers: open the Apache configuration file for the relevant site and change the ‘ssl_protocols’ parameter to “TLSv.1.2”, as in the below:
SSLProtocol all –SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Making the move to TLSv1.2 doesn’t have to be complex, and it can tie in to wider security best practice, such as keeping your operating system up to date.

However, PCI DSS compliance doesn’t stop with updating these protocols – organisations handling payment card data are frequently targeted by attackers, so it’s vital to keep up regular testing of your systems so that you’re aware of any potential weaknesses in your defences.

To find out more about how we can help, take a look at our penetration testing services.

Other resources

Cyberfort Colocation Services

Cyberfort has invested heavily in secure infrastructure, making us the perfect colocation service provider to host your mission-critical, sensitive and regulated data.
Find out more >

What can Cyberfort do for you?

Check out our factsheets for detailed information on the matrix of cybersecurity products and services we offer to protect your business.
Find out more >

Cyberfort Deep Dives

Cyberfort’s cybersecurity consultants explore issues in cyber threat intelligence, incident planning and data security. Read our whitepapers to help make decisions that benefit your business.
Find out more >

Cookie Name	Expiration Time	Description
_ga	2 years	Used to distinguish users.
_gid	24 hours	Used to distinguish users.
_gat	1 minute	Used to throttle request rate. If Google Analytics is deployed via Google Tag Manager, this cookie will be named _dc_gtm_<property-id>.

_gac_<property-id>	90 days	Contains campaign related information for the user. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out.
__hstc	13 months	The main cookie for tracking visitors.
hubspotutk	13 months	This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when deduplicating contacts.
__hssc	30 minutes	This cookie keeps track of sessions.
__hssrc	End of session	Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser.

It’s time to move away from SSL and early TLS – are you ready?

Author: Simon Fletcher

Date: 5th December 2018

Running on Windows?

Running open source?

Other resources

Cyberfort Colocation Services

What can Cyberfort do for you?

Cyberfort Deep Dives

Recent Posts

Recent Comments

Archives

Categories

Meta