Announcement

**GAViN��** · 13-Jan-2009, 08:40 AM

I can understand everyones thoughts on this securitymetrics issue, everyone is entitled to their opinion, but when it is your MD who selects which Security company to go with then its out of my hands, and have to go with it, whether i agree or not.

When its your own company/website then you can make the decision
yourself, the bottom line its not my decision to make, I can only make suggestions...which I did.

Created this post to find a laymans terms explination of what the vulnerabilities the test was failing on required so i could contact our web host company and say right do this and do that...

Oh well...

**leehack** · 13-Jan-2009, 09:02 AM

Gavin i understand if someone refuses to change despite what people tell him, it can be very frustrating. But you also have to understand that you are the only 'actinic' person in the country AFAIK (probably the world too) actually doing this. That is how mad this whole facard is. You have been banging on about the same things for gawd knows how long and to be frank noone has a clue WTF you are on about, nor WTF SM are on about.

If he is so stubborn, fair enough, tell him that he needs to contract some server/security experts in to sort this area out for you. Once he sees the price, he may also see sense.

It is not a failure to tell someone that you cannot do something that is most likely to be impossible or not work anyway.

**Darren B** · 13-Jan-2009, 09:14 AM

OK Gavin i have been having a trawl around the internet, i dont use plesk so cant be much help but i found this

http://www.linux-advocacy.org/web-se...-pci-compliant

there is also a reference to SSLv2 in the 1st part aswell as other stuff

**GAViN��** · 13-Jan-2009, 09:26 AM

Originally posted by Darren B View Post

OK Gavin i have been having a trawl around the internet, i dont use plesk so cant be much help but i found this

http://www.linux-advocacy.org/web-se...-pci-compliant

there is also a reference to SSLv2 in the 1st part aswell as other stuff

Hi Darren, thanks for the post. I posted the exact same link above on my post, and emailed our web hosting company the link for them to work out the fixes.

They have emailed me this morning they have made some changes, and now in the process of running another security test.

In the past we actually have been PCI Compliant through SecurityMetrics, which is an achievement in itself.

**consciouspnm** · 13-Jan-2009, 09:29 AM

Why do you have to get involved at all, just put your hosts and security metrics in touch with each other or find new hosts who understand the report that has been produced.

**leehack** · 13-Jan-2009, 09:37 AM

Originally posted by GAViN�� View Post

In the past we actually have been PCI Compliant through SecurityMetrics, which is an achievement in itself.

Actinic V7 on shared hosting reaches PCI compliance - if this is true, then it only serves to illustrate what a load of crap the whole thing is. AFAIK, NO shared hosting offers PCI compliance and NO actinic sites can ever do so either. When Actinic themselves come out and say this, how can anyone argue with that?

**toy-kingdom** · 13-Jan-2009, 10:58 AM

Originally posted by leehack View Post

AFAIK, NO shared hosting offers PCI compliance and NO actinic sites can ever do so either. When Actinic themselves come out and say this, how can anyone argue with that?

Is that a fact? I run an Actinic (albeit V9) site which is certified by McAfee to meet the Payment Card Industry (PCI) Data Security Standard and it's on a shared host. It seems to me that people who don't fully understand the requirements/server configuration required and how easily these can be achieved even on a shared hosting enviroment would probably be best keeping there miss informed opinions to themselves.

Back on to the original subject there are plenty of companies who can scan your site including http://www.merchantplus.com/mcafee/ who provide compliance services at no cost for the first year and removes the need and expense for Security Metrics.

As for your issue with Weak SSL Ciphers, Darren is probably not far off the mark with:

Originally posted by Darren B View Post

Gavin have you tried to disable SSLv2 this could probably fix the problem.

Although there are other Weak SSL Ciphers potentially installed on the server it's just a case of getting the host to disable them although they may be reluctant as other sites hosted on the server may require them.

A simple way to find out exactly what the problem is and what Ciphers you need disabled would be to sign up for the McAfee scanning and you will be assigned a rep FREE for a year that after your initial scan they will guide you through passing PCI/DSS and assist you with all the requirements for the server which you can pass on to your hosting company.

**pinbrook** · 13-Jan-2009, 11:11 AM

just put your hosts and security metrics in touch with each other or find new hosts who understand the report that has been produced.

Not really, we have had conversations with SM and found ourselves hitting our heads against a brick wall.
as Darren mentioned several posts ago, often it is the control panel that can be tweaked to eliminate the error message - rather than tweak the actual security level - nonsense really

**leehack** · 13-Jan-2009, 02:30 PM

Perhaps Simon could enlighten us all as to why the company who create the software (Actinic) state there software is not PCI Compliant without using a PSP, if indeed it actually is. Would that not be like shooting oneself in the foot if what they say is not true?

The slow demise of shared SSL and the introduction of the new AP system, was mainly driven (as i understand) by the fact that actinic and SSL downloading payment details yourself would never and will never pass the guidelines. This is the main point in all of this, you have to use a PSP to comply.

Now if McAfee, Security Metrics or anyone else doing this monitoring think that anyone doing the above mentioned scenario can actually pass PCI DSS when using Actinic, then what does that say for their services, if the software company itself has been telling us to the contrary for the past 12 months.

Over to you Simon with your wealth of knowledge, to unmuddy the most muddied waters in the past 12 months.

**parklifeclothes** · 13-Jan-2009, 03:06 PM

This whole thread is brought about because of fears instilled by companies who magically can help out with their 'unique' services, i.e fixing something that pretty much doesn't exist.
When any new rules appear like the fire brigade not issuing fire certifiactes along come hundreds of new businesses out like vultures with their 'services' to help you comply.

**GAViN��** · 13-Jan-2009, 04:27 PM

Thanks to that link that Darren posted above (and i did earlier) to my web host they have removed the sslv3 weak ssl ciphers, so just the sslv2 ciphers remain everything else is fine.

So they are working on that. (Yes, sslv2 has been disabled, or so our web hosting company has informed me) - Is there a way of checking this? - Just to be sure.

Just for information, we are actually on a VPS now and have been for some months, so not a shared server as I think some might think.

If SM are known to play hard-ball, and our site is PCI compliance through them, then we must have a pretty damn secure website - therefore giving customers that added comfort knowing that we are secure. Which in my opinion is great news for us.

Am sure there are other PCI compliance companies out there, but just how good are they? How good are their security tests? who knows?

Were getting somewhere now with our host company and SM so there is light at the end of the tunnel..

But having done a google search on weak ssl ciphers for pci compliance it seems there are other people having the same trouble with no mention of security metrics at all.

I may have a look at this McAfee scan - even if its just for documented help on vulnerabilites that we come across now, and in the future, after all if its free for the first year no harm in giving it a look at.

**RuralWeb** · 13-Jan-2009, 05:11 PM

I run an Actinic (albeit V9) site which is certified by McAfee to meet the Payment Card Industry (PCI) Data Security Standard and it's on a shared host

And the url is ????

**Darren B** · 13-Jan-2009, 05:23 PM

OK i think we need to split this up a bit.

You can still mak your server PCI-DSS compliant, it does not mean you are though, the software and downloading of card details is not.

So you can have a compliant server but this is only one piece of the puzzle, there are others and these depend what information you are collecting and how you handle it. Then you need to make sure you are compliant to each of these steps.

Actinic will not meet these other steps - the downloading of card information will fail the required security checks everytime everytime.

D

**Mark H** · 13-Jan-2009, 05:29 PM

Which is exactly why you need to use a PSP and self-certify. If you need a PCI secure website, the only justification for which is to download card details, then by definition you are downloading card details, and you are most likely to fail the whole PCI thing on this basis alone

**RuralWeb** · 13-Jan-2009, 06:07 PM

You can certainly have a PCI compliant server (which actinic has) but you still need to use a psp to be fully compliant as stated on the Actinic website

Merchant web sites hosted on Actinic servers are fully PCI DSS compliant provided that they use a Payment Service Provider that is itself fully PCI DSS compliant and the card details are captured at the payment provider �s servers

Announcement

Weak SSL Ciphers on Remote Server - Help?!

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment