Events Important TLS Disablement Notice for your CCBill Account

[brassmonkey]

what??? is this for merchants?
came from "Merchant Support at CCBill"

As a leading Payments-as-a-Service Platform, CCBill maintains a comprehensive and secure system which enables merchants to safely and securely process transactions online. Recently the Payment Card Industry Data Security Standards (PCI DSS) made it a requirement that all payment systems disable early versions of TLS by June 2018. TLS or Transport Layer Security is a method used to encrypt sensitive data across the internet and has been replaced by Secure Sockets Layer (SSL).

In order to maintain our compliance, CCBill will be disabling TLS 1.0 and 1.1 across our platform on the following dates:

5/24/18 – We will temporarily disable TLS 1.0 and TLS 1.1 for a one (1) hour window, at 8am GMT -7 to offer you and your teams time to test your systems and identify any remaining necessary upgrades.
6/8/18 – We will fully disable TLS 1.0 and TLS 1.1 across our entire CCBill environment at 8am GMT -7.

To assist you in this process, we suggest that you contact your web hosting provider, developer, or CMS to ensure that all your connections to the CCBill platform support TLS 1.2.

Thank you for your attention to this matter.

Sincerely,

CCBill Management

[ZENRA]

Just got it.

Yes, if you use CCBill for processing, it may affect you.

[bns666]

got it too...

[Bladewire]

In short, upgrade your site to TLS 2.1 ASAP

SSL & TLS 1.1 have been proven insecure and have been compromised by widely publicized hacks.

This isn't a CCBill issue this is a PCI services issue worldwide.

[Look Chang]

Quote:

Originally Posted by Bladewire

In short, upgrade your site to TLS 2.1 ASAP

Sorry if the question seems inept but what are the requirements for the site / server to be compatible with TLS 2.1 ?

[rowan]

Unless your Apache daemon was compiled 5 years ago your site probably already supports it.

You can check domains here: https://www.ssllabs.com/ssltest/

Don't forget this will also have some effect on the customer side. Anyone with an older browser, or a misconfigured one (I discovered a few months ago that for some reason mine was set to only support TLS 1.1 and specifically ignore TLS 1.2???) will not be able to load the ccbill pages.

[Denny]

Well, I got it too but I'm just an affiliate so I guess I can ignore it.

[rowan]

Quote:

Originally Posted by Denny

Well, I got it too but I'm just an affiliate so I guess I can ignore it.

Yes and no.

It's a bit like Google making Chrome complain about "insecure" sites. Enforcing TLS 1.2 is a good thing in the long run, but in the short term it may cause some browsers (hopefully only a tiny percentage) to no longer be able to access ccbill's signup pages. That will affect affiliates too.

[rowan]

For those familiar with Apache custom logs, this logs the SSL protocol and cipher, as well as the user agent:


<IfModule log_config_module>
LogFormat "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x %{SSL_TLS_SNI}x \"%{User-Agent}i\" \"%r\" %b" ssl
</IfModule>

CustomLog /path/to/log ssl


I've been logging for a few minutes and out of 29 uniques I've already seen a couple of IPs loading only with TLSv1: Android 4.4.2, and Ubuntu 9.04. So there's still old browsers out there.

[rowan]

Some preliminary data, from the past 4 hours:

- 742 unique IPs
- 20 IPs (2.7%) do not support TLS v1.2

That percentage is higher than I expected.

Some notable and unusual user agents:

Mozilla/5.0 (Linux; NetCast; U) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.33 Safari/537.31 SmartTV/5.0

Mozilla/5.0 (Linux; U; Android 2.3.6; en-ca; LG-E400R Build/GRK39F) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 MMS/LG-Android-MMS-V1.2

Opera/9.30 (Nintendo Wii; U; ; 3642; en)