By Brian Royce & Terry Easton August 18, 2016
If you are using a personal computer operating system released before December 21, 2015, or a web browser released before May 31, 2016, your computer may be at serious risk when browsing ecommerce websites.
As of June 30, 2016, the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols used between user’s web browsers and central computer server systems.
The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.
Failure to disable SSL and TLS 1.0 Security Protocols from ecommerce servers will result in monthly fines by the Credit Card Payment Processors who are members of the Payment Card Industry Council. In addition, continuing unsafe websites will have their credit card processing services canceled. Also, independent website security testing services, used by the credit card PCI, will now blacklist a non-compliant internet website.
ALL retailers (especially firearm retailers) should be running compliant systems, servers, and websites. Inform your IT staff of this his PCI directive and check to see that your systems get the highest security rating by SSL Labs, the industry’s gold-standard. Failure to follow this could cost you.
In the modern era of hacking, we wholeheartedly recommend that you comply and employ the most advanced security procedures and technology you can.
How Did This Come About?
The PCI Council is responding to the well-known POODLE exploit in SSL as well as NIST’s recent conclusions about SSL. As of April 2014, they proclaimed that SSL is not approved for use in protecting Federal information. See: National Institute of Standards and Technology, NIST.GOV.
Unfortunately, you’ll need a brief history lesson to understand the role of TLS.
Developed in the 1990s by the IETF (Internet Engineering Task Force) folks, TLS version 1.0 was based heavily on SSL and designed to solve compatibility issues—a single, non-proprietary security solution. Then a series of cryptographic improvements were made for TLS 1.1 and the current 1.2.
One key point is that TLS implementations support a downgrade negotiation process whereby the client and server can agree on the weaker SSL protocol even if they opened the exchange at the latest and greatest TLS 1.2.
Because of this downgrade mechanism, it was possible to leverage the infamous SSL-targeted POODLE attack to indirectly take a bite out of TLS by forcing servers to use the obsolete SSL. This would compromise the secure transaction pipe between browser and server, and expose the parties to the hacking of confidential data including credit card details.
Then in December 2014, security researchers discovered that a POODLE-type attack could be launched directly at TLS without negotiating a downgrade.
What Should You Do Immediately?
The PCI Council says that website servers must completely remove support for SSL 3.0 and TLS 1.0. Also, web browser users must immediately upgrade their web browsers to use the latest browser version available. In short: servers and clients should disable SSL and then preferably transition everything to TLS 1.2. All ecommerce systems and servers should remove support for all obsolete SSL 3.0 and TLS 1.0 protocols many months ago!
Because of this security upgrade, a small percentage of web browser users may discover that their out-of-date operating systems and web browsers are still using these forbidden protocols, and are unable to access ecommerce websites.
To see if your own computers have the latest software installed, the following link provides the details concerning your particular operating system (Windows, Apple IOS, Android, Linux, etc.) and browser type (Firefox, Safari, IE, Edge, Chrome, etc.). See: https://en.wikipedia.org/wiki/Template:TLS/SSL_support_history_of_web_browsers
If you are using the latest version of your computer operating system and the latest version of your web browser(s), you do not need to do anything! You are safe.
If you are using an older, obsolete operating system such as Windows XP or Apple OS X, you cannot use Microsoft and Apple’s latest web browser versions, and your computer is vulnerable. When you browse the Internet – and you may NOT be able to access many secure ecommerce sites created and maintained by real professionals.
We highly recommend that all users immediately upgrade all of their personal computers and “smart” mobile devices to the latest operating system versions and apply the latest “patches” provided by their computer operating system manufacturer.
We also recommend that the latest Firefox or Chrome browsers be used to access the Internet, in general. These browsers are automatically updated frequently (often weekly) to keep up with the hacker attacks which compromise secure transactions.
This is an on-going battle which requires that you continue to use the most current version of these programs to protect your computers. We further recommend that you turn on the “auto update” feature of both your operating systems and web browsers to make sure that you receive the latest security patches.
Finally, we highly recommend that all of our ecommerce clients consider upgrading their ecommerce website security certificates to the “HackerProof Certs.” Comodo charges $2,295 for a one-year HackerProof Cert.
https://www.comodo.com/hackerproof/select-hackerproof.php for full details.
We take your security very seriously, and you do not want your gun shop website hacked! We encourage you to also inform your retail customers of the same requirements to use modern operating systems and the latest Firefox or Chrome browsers when they access any websites.
Crooks, scam artists, hackers and spies swarm all over the Internet. It is our responsibility to keep them out of our ecommerce servers and websites. We review security procedures and protocols daily and are intimately involved with the firearms and internet security industry.
Rest assured that our servers use the highest level of encryption which is supported by all the modern web browsers. For those readers who want more technical information on how web browser and ecommerce server security works, see: https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers