Security Blog

Time is (almost) up for SSL/early-TLS

June 30th 2018 is closing in!

After that date, SSL v3 or early version of TLS (e.g. 1.0 or 1.1) must be disabled and only TLS 1.2 will be accepted as per PCI-DSS requirements 2.2.3, 2.3, and 4.1.

There are a lot of companies and service providers whose webservers are still using vulnerable versions of SSL or TLS and some of them still have very weak or unplanned remediation plan to migrate to TLS 1.2.

Given the large number of possible exploits related to SSL/early-TLS, such as BEAST, POODLE and Birthday attack, the ease of executing them and the massive bad outcome they might result in, a couple of questions stand out:

  • Does it really make sense to risk so much by allowing some outdated android (v4.0.4 and earlier) or Internet Explorer (v9 and earlier) or Mozilla/Chrome/Safari/Browser user to access the service?
  • Is it only because of the PCI DSS compliance that SSL/early-TLS will be dismissed? Is it compliance then that drives security?

The answer to the last question is of course a big “NO”, but then:

  • Why is it so difficult to make people understand that security is important and not just a burden?

Well, the answer probably lies with awareness and education of end-users, customers and managers, especially in showing what could happen if the event-that-should-not-be-named happens.

If you want to read a bit about the Transport Layer Security (TLS), formerly known as Secure Socket Layer (SSL), you might want to take a look at the following links:

https://en.wikipedia.org/wiki/Transport_Layer_Security

https://tools.ietf.org/html/rfc5246

https://tools.ietf.org/html/rfc6176

 

Read more related content:

Mirror, mirror on the wall…who’s in scope of them all?

PCI DSS vs/and/or ISO 27001

Blockchain and GDPR – challenges and opportunities 

  • 24 Solutions AB
  • Smedjegatan 2C
  • SE-13154 Nacka, Sweden
  • +46 (0)8 535 24 100
  • info@24solutions.com