PCI compliance and vulnerabilities mitigation
Both are insufficient for protecting information due to known vulnerabilities. Specifically for Cloudflare customers, the primary impact of PCI is that TLS 1.0 and TLS 1.1 are insufficient to secure payment card related traffic.
Set Minimum TLS Version to 1.2
To configure your Cloudflare domain to only allow connections using TLS 1.2 or newer protocols:
Log in to the Cloudflare dashboard.
Select your Cloudflare account and website or application.
Go to SSL/TLS > Edge Certificates.
For Minimum TLS Version, select TLS 1.2 or higher.
Known vulnerabilities mitigations
There are several mitigations Cloudflare performs against known vulnerabilities for TLS versions prior to 1.2. For example, Cloudflare does not support:
- Header compression in TLS
- Header compression in SPDY 3.1
- SSL 3.0
- Renegotiation with clients
- DHE ciphersuites
- Export-grade ciphers
Cloudflare mitigations protect against several attacks:
- RC4 Cryptographic Weaknesses
- SSL Renegotiation Attack
- Protocol Downgrade Attacks
- 3DES is disabled entirely for TLS 1.1 and 1.2 and Cloudflare implements mitigations for TLS 1.0
Cloudflare provides additional mitigations for:
- Lucky Thirteen
- CCS injection vulnerability
Return of Bleichenbacher’s Oracle Threat (ROBOT)
Security scans that note the presence of ROBOT while on Cloudflare are a false positive. Cloudflare checks padding in real time and swaps to a random session key if the padding is incorrect.
A vulnerability in the use of the Triple DES (3DES) encryption algorithm in the Transport Layer Security (TLS) protocol. Sweet32 is currently a proof of concept attack, there are no known examples of this in the wild. Cloudflare has manually mitigated the vulnerability for TLS 1.0 in the following manner:
- The attacker must collect 32GB of data from a single TLS session.
- Cloudflare forces new TLS 1.0 session keys on the affected 3DES cipher well before 32GB of data is collected.