Announcement

Collapse
No announcement yet.

Credit Card Compliance - SSL version

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Credit Card Compliance - SSL version

    Can anyone tell me what version of SSL Actinic uses

    We are with Barclays Merchant Services and they have required us to pass the Security Metrics Tests on the Actinic site even though we dont see credit card information - it all goes via Protx

    the only failure we are encountering seems to be the SSL version - error description as follows

    Protocol - TCP
    Port - 443
    Program - https
    Risk - 4

    Synopsis - Synopsis : The remote service encrypts traffic using a protocol with known weaknesses. Des-c-r-i-p-tion : The remote service accepts connections encrypted using SSL 2.0, which reportedly suffers from several cryptographic flaws and has been deprecated for several years. An attacker may be able to exploit these issues to conduct man-in-the-middle attacks or decrypt communications between the affected service and clients. See also : http://www.schneier.com/paper-ssl.pdf <b>Solution</b>: Consult the application's documentation to disable SSL 2.0 and use SSL 3.0 or TLS 1.0 instead. See http://support.microsoft.com/default.asp x?scid=kb;en-us;187498 for instructions on IIS. See http://httpd.apache.org/docs/2.0/mod/mod _ssl.html for Apache. <b>Risk Factor</b>: Medium / CVSS Base Score : 2 (AV:R/AC:L/Au:NR/C:P/A:N/I:N/B:N)


    Thanks
    Jane
    Jane

    #2
    Jane,

    Actinic's SSL uses both 2.0 and 3.0 and the highest mutually supported protocol version will used.

    Kind regards,
    Bruce King
    SellerDeck

    Comment

    Working...
    X