Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Asked Answered
S

4

4

Do I risk losing sales by disabling SSL 2.0 and PCT 1.0 in IIS5?

Clarification: Sales would be lost by client not being able to connect via SSL to complete ecommerce transaction because SSL 2.0 or PCT 1.0 is disabled on the web server.

Microsoft kbase article: http://support.microsoft.com/kb/187498

Stans answered 15/9, 2008 at 16:50 Comment(1)
#882063Guilder
D
5

Modern browsers either don't appear to support SSLv2 at all (Google Chrome, Opera 9.52, Firefox) or have it disabled by default (IE7, IE8).

That said, are you concerned about losing business from people using much-less-than-modern web browsers?

Possibly more importantly, are you concerned about your customers' security? Even if they can only connect using SSLv2, do you want them performing secure transactions with you using a protocol that is known to be insecure (see Google)?

As a computer professional, I would not hesitate to recommend to management that SSLv2 be disabled. I would leave it up to the bean counters to determine whether they think the additional income is worth the potential liability.

Diocesan answered 15/9, 2008 at 19:51 Comment(0)
G
2

No. The number of users with support for SSLv2 at all, much less SSLv2 only, is negligible. It has been obsolete since 1996, and is disabled or not even included in all modern browsers of significance.

Guilder answered 18/9, 2008 at 20:13 Comment(0)
S
1

Only you can really answer that question. Your customers' experience of your site will be mediated by their browser. The first place to look for browser information is at a listing of the user-agents that are being used to access your website. Hopefully you have a good log analyzer such as Analog, Weblog, Google Analytics, WebTrends, etc. This is the first place to look and should give you a good idea of the SSL level that your general community supports.

You may also want to alter your application to check for the SSL level supported by your users' browsers that get to the "complete ecommerce transaction" part of your website. This is the best method to determine if you are turning away customers.

Remember that the SSL level is auto negotiated between the server and the client (best encryption used first) so you don't necessarily need to disable older versions, but you could pop up a message to the user encouraging them to upgrade.

Slurp answered 15/9, 2008 at 17:54 Comment(0)
H
0

Presumably you use SSL to protect users from man-in-the-middle or other attacks, yes? SSLv2 is useless for this. Disable it -- the number of users who use a browser without SSLv3 or TLS support is vanishingly small, and it's easier to make them somebody else's problem than explain why somebody in Nigeria is using their credit card.

Humfried answered 15/9, 2008 at 19:55 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.