June 30th 2018 is closing in!
After that date, SSL v3 or early version of TLS (e.g. 1.0 or 1.1) must be disabled and only TLS 1.2 will be accepted as per PCI-DSS requirements 2.2.3, 2.3, and 4.1.
There are a lot of companies and service providers whose webservers are still using vulnerable versions of SSL or TLS and some of them still have very weak or unplanned remediation plan to migrate to TLS 1.2.
Given the large number of possible exploits related to SSL/early-TLS, such as BEAST, POODLE and Birthday attack, the ease of executing them and the massive bad outcome they might result in, a couple of questions stand out:
- Does it really make sense to risk so much by allowing some outdated android (v4.0.4 and earlier) or Internet Explorer (v9 and earlier) or Mozilla/Chrome/Safari/Browser user to access the service?
- Is it only because of the PCI DSS compliance that SSL/early-TLS will be dismissed? Is it compliance then that drives security?
The answer to the last question is of course a big “NO”, but then:
- Why is it so difficult to make people understand that security is important and not just a burden?
Well, the answer probably lies with awareness and education of end-users, customers and managers, especially in showing what could happen if the event-that-should-not-be-named happens.
If you want to read a bit about the Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL), you might want to take a look at the following links: