WhyNoPadlock warns for TLSv1

I ran the WhyNoPadlock.com check on my site and get one warning:

  • You currently have TLSv1 enabled.*
  • This version of TLS is being phased out. This warning won’t break your padlock, however if you run an eCommerce site, PCI requirements state that TLSv1 must be disabled by June 30, 2018.*

This is a new Ubuntu 18.04 installation with Certbot 0.31.

Why this warning when everything is up to date?

Hi @musicpanda,

This is a compatibility vs. security trade-off.

Certbot chose to use defaults taken from

https://mozilla.github.io/server-side-tls/ssl-config-generator/

As you can see, there are “modern”, “intermediate”, and “old” configurations (which choose different points along the security and browser compatibility trade-off—“modern” is most secure and least compatible, while “old” is least secure and most compatible).

The default that we chose based on Mozilla’s recommendations does not comply with the PCI requirements because it allows the obsolete TLSv1 protocol (which some old browsers still require). You can configure this in /etc/letsencrypt/options-ssl-apache.conf, where you could choose to add -TLSv1 to the end of the SSLProtocol line (to comply with the PCI requirement) or -TLSv1 -TLSv1.1 to comply with Mozilla’s “modern” recommending in this specific regard.

Maybe we should ask Mozilla if they want to revisit this issue in their recommendations in light of subsequent developments and the passage of time.

2 Likes

By the way, the “PCI” reference is to the PCI DSS

which is a set of industry rules covering entities that accept credit cards. In the past, these and similar rules were the biggest reason that sites would adopt HTTPS. Nowadays, more sites that aren’t subject to PCI DSS and merchant rules are adopting HTTPS, but the rules still have a significant effect on online standards, and that’s why security scanner tools often reference their requirements.

We’ve effectively implicitly assumed that sites that are subject to these rules will have their own compliance process in which they make necessary changes and configurations (just turning on HTTPS isn’t enough to become compliant!), but maybe we should also make that clearer.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.