This article applies to:

• Trustwave MailMarshal (SEG)
• Trustwave ECM/MailMarshal Exchange
• SEG Service Provider Edition/MailMarshal SPE
• Marshal Reporting Console
• All web sites created by the products

Question:

• What are the recommended practices for secure (HTTPS) access to product websites?

Information:

Trustwave recommends that SSLv2 and SSLv3 should be disabled on all web servers that provide service for the named products (such as SQM/End user spam and quarantine management, remote consoles, and reporting consoles), if the sites are secured with HTTPS. These protocol versions are older and have known vulnerabilities. For example, CVE-2014-3566 ("Poodle") is a vulnerability in the SSLv3 protocol that potentially allows an attacker to view the plain text of encrypted material.

• Some regulatory frameworks and companies are recommending and even requiring that TLSv1.0 and TLSv1.1 be disabled as well.

Notes:

For technical details of how to disable SSLv2 and SSLv3 on Windows servers, refer to Microsoft documentation.

• See Microsoft Knowledge Base article 245030.
• A more detailed explanation can be found in this TechNet blog post.
• A free third party tool that might be of use to simplify the process, for any version of TLS/SSL, is IISCrypto from Nartac Software.