X-Cart: shopping cart software

X-Cart forums (https://forum.x-cart.com/index.php)
-   News and Announcements (https://forum.x-cart.com/forumdisplay.php?f=28)
-   -   Important!!! Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS (https://forum.x-cart.com/showthread.php?t=75808)

ambal 11-23-2017 01:21 AM

Important!!! Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
 
https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Some say it is going to be "illegal" to use IE6-10

https://scontent.fhel2-1.fna.fbcdn.net/v/t1.0-9/23915497_1618181404894529_7957804125984914032_n.pn g?oh=0fbdb2b451de009cf97b7c7bbb049c0e&oe=5AA11F10

cflsystems 11-23-2017 07:12 AM

Re: Important!!! Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
 
This also says "Additionally, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed."

XC uses MD5 for hashing just about everywhere...

Quote:

Some say it is going to be "illegal" to use IE6-10
Same should apply to earlier versions of Chrome, Firefox, etc
So yes I guess we are going back to the really annoying messages showing on sites - please update your browser or use blah-blah-blah...

Maybe off topic but I don't hear PCI council saying anything about the Equifax case. This just makes PCI not creditable in my eyes at all... But they are the ones writing the rules for everyone to follow.

Triple A Racing 11-23-2017 09:14 PM

Re: Important!!! Are You Ready for 30 June 2018? Saying Goodbye to SSL/early TLS
 
Quote:

Originally Posted by cflsystems
This also says "Additionally, use of weak cipher suites or unapproved algorithms – e.g., RC4, MD5, and others – is not allowed." XC uses MD5 for hashing just about everywhere...

MD5 "....has been found to suffer from extensive vulnerabilities" (sic) and, it's not the only dated security process that XC are/was using.
We'll be re-inspecting some particular bug fixes once the next upgrades are available at Merchant Wave.
Quote:

Originally Posted by cflsystems
Same should apply to earlier versions of Chrome, Firefox, etc So yes I guess we are going back to the really annoying messages showing on sites - please update your browser or use blah-blah-blah...

We exclude SSL 1.0, 2.0, 3.0 and TLS 1.0 by default and are using TLS 1.2 and TLS 1.3 ciphers only.
That means that some old browser and/or O/S users simply can't visit us at all. We're happy with that. C'est La Vie :D/
Quote:

Originally Posted by cflsystems
Maybe off topic but I don't hear PCI council saying anything about the Equifax case. This just makes PCI not creditable in my eyes at all... But they are the ones writing the rules for everyone to follow.

The PCI crowd, sadly, like many other "authorities" are in the do as we say, not do as we do club..:wink:


All times are GMT -8. The time now is 01:50 AM.

Powered by vBulletin Version 3.5.4
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.