Background:
As of July 1, 2018, SSL/early TLS should not be used as a security control to meet PCI DSS requirements. This is an industry-wide mandate defined by the Payment Card Industry Data Security Standard (PCI DSS). TLS v1.1 or higher are more secure protocols which protect your business and your customers. For more information regarding this industry mandate, see the Reference Links at the end of this article, or view this video.
If you have previously submitted a scan dispute with a Risk Mitigation and Migration Plan for addressing SSL/early TLS, you have acknowledged that your business uses the SSL or early TLS controls and agreed to update them by the June 30, 2018 deadline. Beginning July 1, 2018 a Risk Mitigation and Migration Plan will not prevent you from a failing scan.
Video: SSL/Early TLS – High Level Overview
How to identify if you are using SSL/Early TLS:
-
Navigate to the Portal and log in to your account
-
You can use the "I forgot my username/password" links if you need a reminder of your login credentials.
-
-
At the dashboard, select "Scanning' from the toolbar.
-
You will see the results of your most recent scan in the main screen.
-
-
Review the IP address/URL being scanned to ensure this is correct and up-to-date for your payment environment.
-
Click on each vulnerability to learn if SSL/early TLS is listed as a compliance issue. These will be listed as one of the following:
- SSLv3 Supported
- TLSv1.0 Supported
- SSL version 3 protocol padding-oracle attack (POODLE)
You can also download the scan report in PDF format.
-
For each of these that were flagged on your scan, find the port number, note it down, and see the guidance about next steps. (Your portal view may have a slightly different look depending on your program.)
If you have SSL/Early TLS vulnerabilities:
Eliminating SSL/Early TLS can seem complicated, but like any problem just take it step by step.
The first step is to figure out what systems or applications are using SSL/Early TLS. Depending on how your network is set up, the issue could be in one or more places.
The scan report will tell you where SSL/early TLS is being used, by telling you which port we have found this vulnerability on.
Below we have listed some common sources of the problem. Note that you these may not exactly match what you see in the report or network configuration. Your systems probably do not use all of the ports listed and they might use other ports.
Guidance By Port
Video: Finding the port number (Your portal view may have a slightly different look depending on your program.)
When you are scanning a domain (website):
- Port 443: your hosted website allows connections using SSL/Early TLS. Work with your hosting provider to have SSL/Early TLS disabled.
When you are scanning an IP address (physical location):
The ports listed below are most often used by the devices or applications listed. For advice about each type of device, click the device name link to go to the section below.
If the port is not on the list, see the Port Not Listed section.
Port | Device or application |
---|---|
21 | FTP |
25 | |
80 | Web/admin |
110 | |
143 | |
443 | Web/admin |
465 | |
587 | |
3389 | RDP |
4433 | Web/admin |
8000 | DVR/Camera |
8080 |
Web/admin DVR/Camera |
8443 | Web/admin |
10443 | DVR/Camera |
20443 | DVR/Camera |
30443 | DVR/Camera |
60443 | DVR/Camera |
50001 | Cable or DSL modem |
60001 | Cable or DSL modem |
-
Web Admin: This is usually the administration website page of a modem or router on premise. The suggested action is to log in to that device and turn off the access to the admin page from the "WAN" or Internet side. You can usually leave access open from Local Area Networks (LAN) and USB ports.
-
If your internet service provider (ISP) owns or manages the modem, they may opt to put a firewall behind it. Note: Once the firewall is implemented, your scans may still fail. In these situations, you may need to submit a dispute to address the failing.
-
-
Cable/DSL Modem: This is likely a maintenance port of a cable modem or DSL modem on premise. The suggested action is to log in to that device and turn off the access to the admin page from the "WAN" or Internet side. You can usually leave access open from Local Area Networks (LAN) and USB ports.
-
If your internet service provider (ISP) owns or manages the modem, they may opt to put a firewall behind it. Note:Once the firewall is implemented, your scans may still fail. In these situations, you may need to submit a dispute to address the failing.
-
-
Email: These ports are used by email servers. If the scan finds SSL vulnerabilities on these ports, then there is likely an email server on your network. If you have a business need for this email server, you must update it to disable SSL/Early TLS. Usually you can do this by updating the server settings. You might need to update the software. For assistance with some common software, see the links below (external sites):
-
Remote Desktop Protocol (RDP): This port is almost always a remote login for Microsoft Windows computers. If this port is detected, then most likely your router is configured to allow access from the internet to a specific computer inside the network. The easiest and most secure action is to block the port. However, before blocking the port you should find out if it is needed by a remote IT management resource. If the port needs to be open for business reasons, you will need to apply some Windows Updates to the Windows system(s), and make changes in the Windows Registry to disable SSL/Early TLS.
-
NOTE: Unless multifactor authentication is enabled, running remote connectivity services (such as Remote Desktop and/or VNC) is considered non-compliant if the system is in the cardholder data environment (CHDE).
-
-
DVR/Camera system: These ports are often used for remote Closed Circuit Television (CCTV) monitoring of a building or room. Usually these ports should remain open if live monitoring of a business is needed. The recommended action is to make sure that the device is segmented (isolated) from the cardholder data environment. Talk to an IT specialist to determine if network segmentation is in place, or for assistance in setting it up. In these situations, you may need to submit a dispute to address the failing.
-
FTP: This port is almost always a FTP server utilizing SSL encryption. If you have a business need for this application, you must update it to disable SSL/early TLS. Usually you can do this by updating the server settings. You might need to update the software. In many cases, FTP applications use the Operating System's SSL components. This means that the upgrade procedure would be done to the operating system and not a specific software package. For assistance with some common software, see the links below (external sites):
- Microsoft Windows 7, Windows 10, IIS: https://support.microsoft.com/en-us/help/187498/how-to-disable-pct-1-0-ssl-2-0-ssl-3-0-or-tls-1-0-in-internet-informat
- Apache (Linux): https://httpd.apache.org/docs/trunk/ssl/ssl_howto.html
- NGINX: https://www.nginx.com/blog/nginx-poodle-ssl
Port Not Listed
If the affected port is not on the list above, you will need to identify where the SSL/early TLS is coming from. You can try navigating to it in a web browser using the following formula:
- For example, if your scan report shows that you had vulnerabilities discovered on port 719 of IP address 203.0.113.57, you would construct the following URL in your web browser: https://203.0.113.57:719.
- If a web page is displayed, scan for any information which may help identify what device the SSL/Early TLS is coming from.
- Look for anything that might identify the name of a service provider, vendor, or any other third-party entity which may have a presence in your environment.
- Important note: The above procedure will only work for SSL/Early TLS on websites. Instances detected on non-website physical environments cannot be identified using the above procedure. These devices could be VPNs, POS machines or FTP servers. In these cases, contact an IT specialist to help determine the source.
Reference links
- For more information about the PCI DSS requirement, please see the Payment Card Industry (PCI) Data Security Standard, v3.2, Appendix A2: Additional PCI DSS Requirements for Entities using SSL/early TLS.
- See also
Trustwave video references
(Your portal view may have a slightly different look to that shown in the demo videos depending on your program.)