Dara Security

Migrated from SSL and Early TLS Yet?

May 01, 2018

In 2015, the PCI Council recognized the need to move away from earlier forms of the Internet security protocol Secure Sockets Layer / Early Transport Layer Security (SSL/TLS).  This cryptographic protocol is used to establish a secure channel between two systems by authenticating one or both systems and protecting the information passing between the systems.

PCI has acknowledged that SSL/TLS is an unsafe method for protecting sensitive data online.  In fact, the widespread use of SSL/TLS has motivated attackers to find flaws, giving rise to serious vulnerabilities such as Heartbleed, POODLE, BEAST, and CRIME.  The sobering reality is that there are no known fixes for protocol vulnerabilities in SSL/TLS.

Online and e-commerce environments using SSL/TLS are the most vulnerable and should be upgraded immediately, if they have not already done so.  PCI has also encouraged e-commerce merchants to communicate with their customers about the hazards of using outdated browser software and the resulting risk to customer data.

PCI has set a June 30, 2018 deadline to migrate from SSL/TLS to TLS version 1.2 or higher, which includes disabling any fallback to SSL/TLS.  Many organizations have already acted, knowing full well the consequences of remaining with the weaker security protocols.  Have you?

For more information on migrating from SSL/TLS, view PCI’s resource guide here:

https://www.pcisecuritystandards.org/pdfs/PCI_SSC_Migrating_from_SSL_and_Early_TLS_Resource_Guide.pdf