The PCI-DSS standards are designed to help protect card-holder data. The specific section we’re interested in is section 4.1 of the v1.2 revision of the standards which are available for download here: https://www.pcisecuritystandards.org/security_standards/pci_dss_download_agreement.html
The standards layout that you should use strong cryptography and security protocols when transmitting card data over open, public networks (ie the Internet).
If you want to secure any data sent over HTTPS you need to make sure the protocols and ciphers used are secure. In practice, this means disabling SSLv2 and weak ciphers. This has to be done at the SSL endpoint – so if you’re using a load balancer, firewall or similar to terminate your SSL connections you’ll need to make the changes there.
We can offer advice and resell SSL terminating end-points. We also work with open-source SSl terminating solutions such as Pound ( http://www.apsis.ch/pound/ ).
How To Check
Use the SSLScan tool – http://sourceforge.net/projects/sslscan/
Use OpenSSL from the command line:
SSLv2
# openssl s_client -ssl2 -connect www.HOSTNAME.com:443
Weak ciphers
# openssl s_client -connect www.HOSTNAME.com:443 -cipher LOW:EXP
How to Fix
Apache 2.x:
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
Pound:
Ciphers "SSLv3:TLSv1:-LOW:-aNULL:-ADH:-EXP:-eNULL"
IIS:
(Unfortunately you have to edit the registry…)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128] "Enabled"=dword:0000000
You may also be interested to know that active CF community member Pete Freitag has created a commercial tool to help you make these changes in IIS – http://foundeo.com/products/iis-weak-ssl-ciphers/
Of course not everyone’s environment is straight-forward and often you’ll hit issues or knock-on effects – so get the experts in… we’re waiting!