This article applies to:
- Trustwave MailMarshal (SEG)
- Trustwave ECM/MailMarshal Exchange
- SEG Service Provider Edition/MailMarshal SPE
- Marshal Reporting Console
- All web sites created by the products
Question:
- What are the recommended practices for secure (HTTPS) access to product websites?
Information:
Trustwave recommends that SSLv2 and SSLv3 should be disabled on all web servers that provide service for the named products (such as SQM/End user spam and quarantine management, remote consoles, and reporting consoles), if the sites are secured with HTTPS. These protocol versions are older and have known vulnerabilities. For example, CVE-2014-3566 ("Poodle") is a vulnerability in the SSLv3 protocol that potentially allows an attacker to view the plain text of encrypted material.
- Some regulatory frameworks and companies are recommending and even requiring that TLSv1.0 and TLSv1.1 be disabled as well.
Notes:
For technical details of how to disable SSLv2 and SSLv3 on Windows servers, refer to Microsoft documentation.
- See Microsoft Knowledge Base article 245030.
- A more detailed explanation can be found in this TechNet blog post.
- A free third party tool that might be of use to simplify the process, for any version of TLS/SSL, is IISCrypto from Nartac Software.