NutraTalk Blog

Updated Security on Hardy Nutritionals® Website

Posted on : March 20, 2017 by Hardy Nutritionals® No Comments

In an effort to continue providing the most secure online experience for our customers, Hardy Nutritionals® has updated our website security protocols and is continually working with our merchant provider to ensure that the latest, most secure standard for website e-commerce is implemented. This security update may affect the ability of some users to view or complete shopping transactions on our website as older versions of web browsers do not support these latest security standards.

If you use Windows 10 and have the latest updates from Microsoft, you should be OK. If you currently use Internet Explorer Versions 7-10, you may not be able to view our website properly. You can download the latest version of the Internet Explorer browser, or download another browser such as Chrome or Firefox.

We hope our security measures do not cause any inconvenience.  If you have any problems placing an order online, please contact us by calling (855) 955-1114 and we will be happy help you place your order.

Below is some background information to help you understand why these changes are necessary to keep your on-line shopping experience safe and secure.

 


In April 2015, PCI Standards Security Council (PCI SSC) issued initial guidance and removed SSL as an example of strong cryptography from the PCI Data Security Standard (PCI DSS), stating that it can no longer be used as a security control after 30 June 2016. After seeking extensive marketplace feedback, the PCI Security Standards Council revised and updated sunset dates. In total, the revisions state:

  • All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016.
  • Consistent with the existing language in the DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater.
  • All processing and third party entities must cutover to a secure version of TLS (as defined by NIST) effective June 2018.
  • The use of SSL/TLS 1.0 within a POI terminal that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk can be used beyond June 2018 consistent with the existing language in the DSS v3.1 for such an exception.

 For more than 20 years Secure Sockets Layer (SSL) has been one of the most widely-used encryption protocols. It remains in widespread use today despite existence of a number of security vulnerabilities and being deprecated by NIST in 2014. According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS. In April 2015, after extensive marketplace feedback, PCI SSC removed SSL as an example of strong cryptography from the PCI Data Security Standard (PCI DSS) v3.1, stating that is can no longer be used as a security control after 30 June 2016. During the implementation period of PCI DSS v3.1, PCI SSC continued to seek feedback from the market, and has now revised and updated sunset dates. The new date of June 2018 offers additional time to migrate to more secure protocols, but waiting is not recommended. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached. In total, the revisions state: 1. All processing and third party entities – including Acquirers, Processors, Gateways and Service Providers must provide a TLS 1.1 or greater service offering by June 2016. 2. Consistent with the existing language in PCI DSS v3.1, all new implementations must be enabled with TLS 1.1 or greater. TLS 1.2 is recommended. (New implementations are when there is no existing dependency on the use of the vulnerable protocols – see PCI SSC Information Supplement: Migrating from SSL and Early TLS.) 3. All entities must cutover to use only a secure version of TLS (as defined by NIST) effective 30 June 2018 (with the following exception). 4. The use of SSL/early TLS within a Point of Interaction (POI) terminal and its termination point that can be verified as not being susceptible to all known exploits for SSL and early TLS, with no demonstrative risk, can be used beyond June 2018 consistent with the existing language in PCI DSS v3.1 for such an exception. 

What is SSL/TLS?

A: Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems.

What is the history of SSL/TLS?

A: TLS was originally developed as SSL- Secure Sockets Layer by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.

What are the SSL/TLS Vulnerabilities?

A: Because of its widespread use online, SSL and TLS have been targeted by security researchers and attackers.  Many vulnerabilities in SSL and TLS have been uncovered over the past 20 years.

What are the different classes of vulnerabilities?

A: Protocol Vulnerabilities: There are many! Cryptographic vulnerabilities in either the SSL/TLS protocol itself, or in how it uses cryptographic algorithms. e.g., POODLE, BEAST, CRIME. Implementation Vulnerabilities: Vulnerabilities in TLS software. E.g., Heartbleed’s Buffer over-read vulnerability in OpenSSL. Configuration Vulnerabilities: e.g., weak cipher suites or key sizes. Logjam attacks using export-grade cryptography.

What are the impacts of vulnerabilities?

A: Loss of confidentiality or integrity: Many of the attacks, particularly protocol vulnerabilities, allow for Man-in-the Middle attacks allowing an attacker to decrypt sensitive information. Loss of cryptographic keys: In some of the most serious cases, vulnerabilities could allow an attack to steal long-lived cryptographic keys.

Who is most susceptible to SSL vulnerabilities?

A: Online and e-commerce environments using SSL (and early versions of TLS) are most susceptible to the SSL exploits and attacks and should be upgraded immediately. With that being said, the PCI DSS migration date of 30 June 2018 applies to all environments (except for POI environments as stated above).

Read more information on PCI Security.


Hardy Nutritionals® multivitamin-mineral products are powered by our proprietary NutraTek™ mineral delivery technology, which combines each mineral with specialized organic molecules—just like nature—to optimize absorption and distribution to body cells. Our flagship supplement, Daily Essential Nutrients, is widely considered to be the most research-backed micronutrient treatment.
Hardy Nutritionals is interested in what you think of our articles. We welcome your comments but request that they relate to the article you are commenting on. Comments that do not relate to the article will be marked as SPAM and rejected. Thank you. Hardy Nutritionals.