What does the PCI actually say about SSL. As part of the PCI DSS Audit procedures, not as a requirement, but as an explanation it is mentioned that any version other than SSL v3 are vulnerable ( document name :navigating_pci_dss_v1-1 , part 4.1 ) . But the standard does not say anything about version

With regards to PCI DSS Scan , it is mentioned ( document pci_dss_technical_and_operational_requirements_for _approved_scanning_vendors_ASVs_v1-1 ) from the document

The following exceptions or clarifications apply:
• A component must be considered non-compliant if the installed
SSL version is limited to Version 2.0, or older. SSL must be a
more recent version than 2.0.

What does the above two means,Can i have a system in which the mixed mode is enabled on Web server ( V2 and V3 ) it will be fine, or only SSL v3 need to be enabled to be compliant . Or is it that i will be non compliant if V2 and V1 only enabled

Thanks for the replies

Your Web site needs to use SSL v2.0 or greater with 128-bit or greater encryption strength. Sometimes wording of the requirements is not the best.

I dont agree. You should use ssl v3 128-bit or stronger.

ssl v2 is vulnerable and should not be used. I also think that if you use ssl v2 the cvss v2 score is 4 or higher and should provide incompliance on that device (it is also one of the exceptions that should provide incompliance even with alower cvss score).


So only ssl v3 should be used.

Pretty funny but i got this mail from Qualys just 10 min after i posted the first one.

Important changes to PCI Scanning Requirements regarding SSLv2
Dear Customer,
A recent PCI DSS requirement clarification from the PCI Council now mandates that all Approved Scanning Vendors (ASVs) detect the use of older cryptographic protocols and identify this as a failure to PCI scans. Specifically, the PCI Council stated it is imperative that an ASV identify the use of SSL 2.0 to transmit cardholder data as a failure.” Note, that the PCI Council doesn’t view this as a new requirement but a clarification to an existing requirement in the ASV scanning guidelines. The PCI Council also clarified that “the merchant can enable SSL 2.0 or older for an initial handshake only to identify that the browser requires to be updated.
QualysGuard QID38592 (Server Supports SSLv2 Protocol Only) already fails the PCI scan if detected. In light of this clarification, any PCI scans completed after February 1, 2009 will also fail if QID38139 (SSL Server Has SSLv2 Enabled Vulnerability) is detected.
In order to resolve these failures for PCI compliance, it is recommended that you discontinue the use of SSLv2 on all systems within the PCI scope. However if you can’t phase out the use of SSLv2, then you can submit a false positive request for these particular issues from within the QualysGuard PCI application or via Qualys support. The false positive request must state that the discovered SSLv2 connection does not transmit any cardholder data. Qualys’ Support team will review, test and approve such requests in order for you to pass PCI compliance.

Interesting indeed.

While I agree with that SSL v2 should be avoided if possible, the absolute banning of SSL v2 had not been decreed until now. And while current browsers support SSL v3, there are still a lot of people that are on older browsers that only support SSL v2.

Merchants are loathe to alienate customers because of technological issues. So it will be interesting to see how stopping the use of SSL v2 goes over. I know we had big issues getting banks to only allow SSL v2 when it first came out, so I'm sure we'll see issues with this conversion as well.

SSL 3 has been published as an RFC since 1996 (see http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt ). It has been supported in browsers since subversions of Netscape 3 and IE 3.

So, anyone running Win95 (or its MAC / *nix peer) or above should be able to use SSL 3.

Thanks a lot for all feedbacks . To add to what we all have stated, we got confirmation from our ASV that enabling SSL V2 will be considered as Non Compliant from February 2009 onwards .

We have conducted an internal reveiw to see the number of customers who actually access our Internet Banking website with SSL v2, we found it is less than 2% .

Also as one of the analyst replied, we dont display the full Credit Card Numbers on our Internet Banking Website and as such there is no Full PAN information passing across this SSL v2 link so that we can apply for " False Positive " .

Definitely we will be moving to full SSL v3, but considering the number of customers 2 % will be very high

off topic but, but
Given there is no discernible cost difference between SSL2 and SSL3, same algorithm, what possible rationale could there be to use a practically unsupported code base for an old standard that has a number of well documented security limitations?

Browsers since ~1997 have supported SSL2 - event Server gate Crypto certificates are no longer needed (although they are marketed at a price premium)

I can only image it means an unpatched legacy code base from the 1990s.

Just curious.

lyalc

SSL 3 has been published as an RFC since 1996 (see http://www.mozilla.org/projects/security/pki/nss/ssl/draft302.txt ). It has been supported in browsers since subversions of Netscape 3 and IE 3.

Yes the RFC has been around a long time, but that doesn't mean anyone necessarily adopted it at that time or any time soon after. Remember, there was a lot more to SSL v3 than just a different client model, there were also server side changes and infrastructure changes that were not as simple as they appear on their face.

And while it might have been supported around IE3, I didn't think SSL v3 was actually included with IE until IE5 at the earliest which would put it in the late WinME, Win2K timeframe. Remember, Mozilla around this time was losing big time to Microsoft in the browser wars, so just because they had a good idea didn't mean it got adopted outside their sphere of influence until Microsoft decided to use it.

And for people with an older system, there's the whole issue of getting people to install something into their browser from a third party. Remember, we're talking about non-technical people here that have difficulty with Windows Update, let alone something non-Microsoft. So, if they are still on Windows 95/98 or original Windows ME (and a lot of people still are - that's why botnets are so successful), that is where you have the problem.

Is there any reason why my Chase Visa account is still showing full CC# on my PDF statements? I'm assuming it would be on the regular mailing statements that they snail mail out too (I put a stop to the mailings ever since I first saw that).

Someone needs a good spanking at Chase.

Is there any reason why my Chase Visa account is still showing full CC# on my PDF statements? I'm assuming it would be on the regular mailing statements that they snail mail out too (I put a stop to the mailings ever since I first saw that).

This is probably the first thing that the PCI process will get changed in the financial institution industry.

The reason this has not been addressed is that financial institutions' software developers and financial institution software vendors have had their hands full the last few years dealing with all of the new fraud detection initiatives that were enacted. So removing checking/savings account and credit card numbers from statements and other documents has been last on the list.

I've discussed this problem with a lot of community banks and credit unions with which I work. They would love to get rid of this information but their problem is that they are waiting on their software vendors to provide the capability for masking or truncating this information.

And it's not just financial institutions. Look at your insurance statement and the VINs and other sensitive information that gets displayed on statements. This is why mail theft is so lucrative. Statements contain virtually everything you need for identity theft.

Another area I have concerns Internet banking. If you look at the screens when you are investigating your account, a lot of these solutions also display full account numbers. Why do they need to do this? I've recommended to clients that they work to have this information masked and that a separate logon or authentication be required to view this information if the customer requires to look at it.

Financial institution regulators are just now starting to focus on getting all unnecessary personally identifiable information (PII) removed from documents where it is not needed. But other industries need to review the PII they have and redact or mask it so that it cannot be used.

Unfortunately, this will take time to get resolved.

My recommendation in the meantime would be to:

Voice your concerns with your financial institution's customer service area;
Make sure you don't leave statements and other sensitive documents lying around; and
Shred any sensitive documents in a good cross-cut shredder.

Out of curiosity, what error messages will people see if they're using an old web browser that supports only SSLv2, and they're trying to use a site that no longer supports it?

Out of curiosity, what error messages will people see if they're using an old web browser that supports only SSLv2, and they're trying to use a site that no longer supports it?

You should just get the typical 'The page cannot be displayed'... I believe you can test it in IE by going to your internet options, advanced tab and DESELETING SSL 3.0, TLS 1.0 and SELECTING SSL 2.0 only. Then going to the site to test.

Hope this helps.

Out of curiosity, what error messages will people see if they're using an old web browser that supports only SSLv2, and they're trying to use a site that no longer supports it?

That's implying that you get the error message. A lot of Web sites will support SSL v2 for backward compatibility just so that customers are not inconvenienced. Just another of one of those realities of the real world.

That's implying that you get the error message. A lot of Web sites will support SSL v2 for backward compatibility just so that customers are not inconvenienced. Just another of one of those realities of the real world.

Very true... Security is always a practice of Convenience VS Inconvenience.

So for web merchants out there. Think about this... your going to be inconveniencing maybe 2% according to previous posts (that seems high to me?) of users by having them upgrade their browser. In my eyes your doing them a favor by making them more secure.

It's just time to put SSLv2 to rest.
JMHO
Zoom3r