Latest PHP versions updated php versions settings

We’ve updated the last 3 PHP versions to their latest releases for customers of and the details for the updates are as follows:

5.5.33 to 5.5.34 (a security release)

Several critical flaws have been fixed in this release, so all PHP 5.5 users are now encouraged to upgrade to this version for the sake of security. If you use 5.5 for your sites and applications, you will have the new release applied automatically.

The list of changes is recorded in the ChangeLog.

PHP 5.6.19 to 5.6.20 (a security release)

A few security bugs have been fixed in this release. All PHP 5.6 users are encouraged to upgrade to this version.

If you rely on 5.6 for your sites and apps, then the latest release will be applied accordingly.

The list of changes is recorded in the ChangeLog.

PHP 7.0.4 to PHP 7.0.5 (a security release)

A few important security flaws have been fixed to make the latest PHP version more stable.

All PHP 7.0 users are encouraged to upgrade to this version. If you have already selected PHP 7 for your sites and apps, the new release will apply automatically.

The list of changes is recorded in the ChangeLog.


rc4 sream cipher

RC4 Cipher No Longer Supported

Insecure RC4 Cipher

Within the last month, major browsers have removed support for the RC4 Cipher, which was an encryption algorithm available for SSL connections.

Academic research found that this cipher had serious design flaws which could allow attackers to decrypt information using the cipher.

While remarkable for its simplicity and speed in software, multiple vulnerabilities have been discovered in RC4, rendering it insecure. The most important weakness of RC4 comes from the insufficient key schedule; the first bytes of output reveal information about the key.

Support dropped

Support for RC4 was officially dropped with Chrome v48 and Firefox v44, both released in late January. Microsoft’s Edge browser and IE11 will also be dropping support for the cipher.

In Chrome, if a SSL connection is attempted with RC4 a non-bypassable error will be displayed. This will entirely prevent users from accessing such sites.

To see how this error will look to users, visit in your browser(s). Data suggests that less than 10% of sites prioritize the RC4 cipher in modern browsers.


New PCI Standard: Disable SSL 3.0 & TLS 1.0 by June 2016


Image courtesy Security Metrics blog

New guidelines dictating the requirements for PCI Compliance, version 3.1 of PCI Data Security Standards (PCI DSS), were released in April. These guidelines must be followed for all companies who take payments over the Internet. A key part of the new PCI DSS are stricter requirements around the use of TLS (SSL).

PCI DSS v3.1 states that SSL 3.0 and TLS 1.0 “can no longer be used as a security control after June 30th, 2016.” This means that disabling these protocol versions is required in order to be compliant with handling sensitive cardholder data.

Any time we discuss protocols, we like to remind our readers that the true name of the modern protocol is Transport Layer Security (TLS), not SSL. The most recent version of the protocol is TLS 1.2, and the last version to be released under the name “SSL”, was SSL 3.0 way back in 1996.

After the POODLE attack discovered late last year, SSL 3.0 was effectively retired. The newest versions of most modern browsers no longer support SSL 3.0, and everyone should check their servers to make sure they have disabled support for that insecure protocol.

Disabling protocol versions is easy – once you locate where your server stores the configuration settings for SSL, it takes less than a few minutes to update. The hard part of meeting these requirements will be to make a risk assessment of your user base to determine if removing TLS 1.0 support will be problematic.

Remember that PCI DSS dictates technical requirements and procedures for servers that are directly handling user payment information, personal records, and administrative access. So if you do not take payments directly – but instead use a provider such as Paypal,, or Square, you may not have to be PCI Compliant. For companies who do handle payments directly, it’s not necessarily required to make these changes network wide. For many networks and companies this will ease compliance.

So, if you are affected by these changes, how much time do you have?

The deadline for ending support for SSL 3.0 and TLS 1.0 is June 30th, 2016, just about a year from now. However this comes with some caveats. “Effective immediately, new implementations must not use SSL or [TLS 1.1],” and existing implementations must have a “formal Risk Mitigation and Migration Plan in place.”

So while the hard deadline on abandoning these old SSL protocols is about 12 months away, the easiest option will be to migrate from these protocol versions now.

The PCI Security Standards Council suggests you only support TLS 1.2 for optimal configuration. This is because all protocol versions except for TLS 1.2 are vulnerable, though you may find users’ devices do not support this version so for practical versions this may not be possible. If you do keep TLS 1.1 enabled, make sure you optimize your configuration to avoid potential security flaws.

If you or your clients handle user data which requires PCI compliance, you will want to consult directly with their new PCI DSS v3.1 Standards, available here:

A summary of the changes specifically affecting SSL are available here: