PCI Compliance - TLSv1.0 Encryption Support - Page 3

**Terra** · 09-22-2016, 08:01 PM

Abrams, when it comes to security related items, we move very swiftly to resolve the issue and sometimes that is without notice until after the security issue has been resolved to minimize any exposure...

Given that there is considerable fallout from this, we are going to temporarily revert the TLSv1.0 deprecation for the Email protocols, and will post up a new deprecation warning to be scheduled for next Thursday (9/30/2016)... This work is currently underway...

*hobbes* · 09-22-2016, 08:02 PM

Thanks Terra. Before proceeding ahead again please be sure to provide guidance on what needs to be changed on common mail apps to get them ready.

**Terra** · 09-22-2016, 08:07 PM

The email protocols now support TLSv1.0 again, and there is now a 1 week sunset where we will deprecate it completely to satisfy the PCI ecommerce clients that are affected by this... PCI includes both Apache and email...

Hobbes, we are not quite sure what kind of guidance we can provide due to the sheer number of email clients that are out there on different OSes... We are hoping that those affected can add to this thread with the results they find... I myself am affected as I use Eudora, so I solved it by using a ssh tunnel to work around it and stopped using SSL...

All in all, deprecating TLSv1.0 must happen as it is forced upon us by PCI and we have no control over what they think is good or bad... We can only adhere to their compliance guidelines...

*jestaguy* · 09-22-2016, 08:12 PM

I think it's fair to say having a roadmap for outlook and the Apple client on the Mac and ios devices would be a responsible start. Littlerally millions of people are using these devices. Not being able to utilize the stock client on an apple device seems like madness. I've been with Futurequest for an eternity as well and this entire experience is remarkably out of character for the company.

*abrams* · 09-22-2016, 08:13 PM

I send and reply to no less than 80 emails a day. I have 11 websites builds going on at the moment. People work at home these days. I have helpdesk tickets I can't respond to, customer questions, contractors that need management, not to mention the ongoing communication over website assets for general production.

WOW.

Just wow.

*hobbes* · 09-22-2016, 08:15 PM

Hummm... saying "we will no longer support secure email on iPhones" seems like a good way to drive clients away. ssh tunnels aren't a solution, just a workaround for the few. I'm all for being in a more secure, PCI-compliant environment, but it appears for email the ecosystem isn't ready yet. Yes, there are a number of email apps, but probably a handful of most popular ones for the masses (e.g., iPhone, Outlook, Android?) -- focusing on providing guidance for those seems like a good business decision.

For what it's worth, Thunderbird/Mac worked fine, as did QuestMail which one would expect.

*abrams* · 09-22-2016, 08:22 PM

Terra,

I have thunderbird with Eudora interface. How did you set up a ssh tunnel?

**Kevin** · 09-22-2016, 08:23 PM

Thunderbird by default supports TLS1.0 through TLS1.2 though it is possible that it has been configured otherwise or that it has an old setting stuck in the configuration.

If you go into the raw configuration editor (preferences > advanced > general > Config Editor) type tls into the search box to narrow down to the right settings and you will see a min and max. The default is 1-3 where 1 means TLS1.0 and 3 means TLS1.2.

**Terra** · 09-22-2016, 08:24 PM

abrams, is it working for you again?

Hobbes, I don't know what we can do at the moment... PCI is forcing this on us and we have no choice but to comply... It boils down to:
"I can't get my ecommerce site PCI certified, therefore I can't sell things"
versus
"I can't read my email with client X via SSL"

We do very much understand the importance of SSL enabled email clients, but as security technology progresses, older protocols are going to be deprecated and removed from the internet (by force via PCI)... The best we can say is pressure now needs to be put onto the vendors that develop email clients and have them support >= TLSv1.1 that has been in existence since 2006...

We did try to hide away a TLSv1.0 service on a non-standard port, but the PCI scan found it and failed us so that option is off the table...

*jay scott* · 09-22-2016, 08:28 PM

I remember the original notice. I checked my e-mail client at the time (carefully, I thought) and concluded that I would be OK. And yet today I was not OK. :-(

So I don't feel blindsided--but I'm not happy either. The Irritating Complexity Of The Internet can't be hidden away entirely, and this time it is looming at us users. Since I apparently can't tell for myself whether my client is compatible, even though I thought I was expert enough, I feel like I at least need a testing tool to tell me when I've gotten it right. Is there a better way to avoid mistakes?