SSL2 Support

[dman]

Hello,

With all the media coverage of and the concerns surrounding the HeartBleed bug I ran some tests from Comodo and Qualsys on some of my clients domains using SSL. The results show that the sites are not vulnerable to the HeartBleed bug but it does show that SSL2 is supported on Win33 which could be a concern. I understand that this issue could affect IE6 users (if there are any left!) and possibly be exploited by using SSL2 as a fallback. Is this something that should and can be disabled on Win33? Thanks!

 

[Stephen]

It is not something we are disabled at this time as we've not had requests, nor do we ensure that the shared servers are PCI compliant (as frankly unless there is a purpose built and locked down design and limits specifically what can be installed and run no shared server is PCI compliant to the spec, maybe to the scans but not to the book)

If you need it disabled yes it will result in some older browsers unable to visit and we can do it on 2008 R2+ servers(and all are being upgraded to this), but it will be on a scheduled basis within 1 week of the request.

 

[dman]

Hey Stephen,

Thanks for the reply! Hmmm... I'm actually not needing PCI compliance on these sites and these are not PCI scans. The scans really only check for the security and health of SSL usage on a server. For example: https://www.ssllabs.com/ssltest/index.html

The vulnerabilities with SSL2 affect more than online payments and PCI, they potentially allow any SSL secured area on a site to be compromised. This would seem to be a broader security concern. Not sure if it has to be disabled or if other sites on Win33 still need to support IE 6 but it does cause web sites on Win33 to be given a poor security rating and potentially have security issues. I would ask to have it disabled if possible. Thanks!

 

[Stephen]

Ask in a ticket and we can do it, it is serverwide disabling however. I know it is more than just PCI I just said that being that it is the most common reason to have it disabled.