Disabling SSLv3 and TLS 1.0
If you use an SSL certificate on a site you host with us, we now offer more control over the SSL/TLS protocol versions your site uses.
Old protocol versions, including SSL version 3 (“SSLv3”) and TLS version 1.0, are no longer considered secure. You can now disable these to improve security, at the expense of preventing some older, less-secure browsers from making SSL or TLS connections. Some credit card companies are starting to require that SSLv3 and TLS 1.0 both be disabled.
You can disable them in our “My Account” control panel:
- Login to the control panel
- Click SSL Certificate
- Scroll down the page to the bottom of the “SSL/TLS protocol version settings” section
- Click show protocol options
- Choose Medium security, good compatibility: Disable SSLv3 but enable TLS 1.0 to disable only SSLv3.
If you want to disable both (which is not yet recommended in most cases for the reasons below), you would instead choose High security, low compatibility: Disable SSLv3 and TLS 1.0.
What will happen if I disable some protocols?
If you disable only SSLv3, visitors using Internet Explorer 6 and earlier on Windows XP will no longer be able to connect securely. Almost nobody uses Internet Explorer 6 anymore, so this is almost always safe (and recommended).
Disabling TLS 1.0 is more of a problem. If you do this, you can expect secure connections to work only with modern browsers released in the last couple of years. The minimum versions are:
- Google Chrome 22, released in 2012
- Mozilla Firefox 27, released in 2014
- Internet Explorer 11, released in 2013
- Safari 7, released in 2013
- iOS 5, released in 2011
These are quite recent as of this writing (May 2015). If you disable TLS 1.0, visitors using browsers older than the versions above would simply see connection errors when accessing any secure “https” parts of your site.
Because of this, disabling TLS 1.0 doesn’t yet make sense unless you control the browsers of everyone who visits your site (for example, if it’s only accessed by employees), or you use a third-party service (such as a credit card company) that requires you to do it.
It was recently announced that the PCI compliance standards, which every site that accepts credit cards must meet, will require all sites to disable both SSLv3 and TLS 1.0 by June 30, 2016.
Update: The PCI Security Standards Council later changed the deadline to June 30, 2018.
Some PCI compliance companies want their customers to disable both of these immediately. You should almost certainly disable SSLv3 as described above, but if they also want you to disable TLS 1.0 now, you may be able to request an exemption. You should be able to fill out a form explaining that you cannot disable TLS 1.0 yet because you have customers who have not upgraded their browsers, but that you will do so by June 2018 (by that time, few people will be using these older browsers and it will have much less impact).
For example, this form is for the widely-used Trustwave PCI company. We have a sample mitigation and migration plan that you can copy-and-paste from as a starting point. You should modify it as necessary for your site, but the technical details it offers about “TLS_FALLBACK_SCSV” and so on are accurate for our servers if you disable SSLv3.