1

I am trying to understand this Google Poodle vulnerability slightly better. So I have a server, one thing I need to do is disable SSL. This is not a problem as the number of users that still use SSL will be low (Windows XP - IE6 I believe).

So, SSL is now disabled, everything is ok.

Here is the problem, to now be PCI Compliant, by June 2016 you have to disable TLS 1.0 support. Not thinking this will be a problem, I went ahead and disabled it on the server. Now I am finding that some common pairings e.g. Windows XP on IE8 can't connect to my website. If they visit my webpage, they are displayed an error that they are unable to connect.

This may not seem like a big deal, because you probably wondering who uses things like XP and IE8. Believe it or not, it is still a very common combination in a lot of big establishments. On one hand, I have no choice but to be PCI compliant, but on the other hand, in doing this, about 5% of my visitors can't view my site (and 5% amounts to a large number).

So, what options do I have? With TLS 1.0 disabled, is there any way to let people without support for TLS 1.1 and higher to view my site?

Thanks

javapro
  • 19
  • 1
  • 3
    We don't even test with XP anymore. It's _years_ past the point where "a lot of big establishments" should have gotten rid of it. At this point, any problems that arise due to their choice to continue using XP are their fault and I have absolutely no sympathy. That said, people stuck with XP can use Firefox or Chrome if they actually want to visit web sites these days. – Michael Hampton Oct 15 '15 at 13:03

1 Answers1

4

If your PCI compliance requires you to drop support for SSLv3 and TLS 1.0, then, as you say, you have to do it in order to stay compliant. However, without being an expert on PCI, I imagine that PCI only covers systems that handle financial data.

What you may be able to do to skirt these requirements, is to split up your web site, so that the part of your web-site that serves up general information about your company might be a HTTP-only site, or HTTPS but with fallback to SSLv3. The actually sensitive web application can then be served with TLS 1.1+ only. Do you have statistics regarding how many users actually use the secure part of your web site from these old creaky machines, as opposed to just browsing your web-site for general information?

You would then have the opportunity for your web application to detect that the user's browser is not compatible with the secure part of the web site, and urge them to upgrade.

This does mean dropping support for Windows XP, but you would hardly be the first to do this. Microsoft haven't supported it for over one year now, and you're not uniquely impacted by these new requirements. Your customers still running these older unsupported platforms will be forced to upgrade no matter what.

Per von Zweigbergk
  • 2,625
  • 2
  • 19
  • 28