March 16, 2018

Posted in:

SSL and TLS, what is the Big Deal About June 30th?

Is your business a payment card processor or ecommerce solution that is confused or struggling with the looming June 30, 2018 deadline to meet the requirements for use of modern encryption (TLS1.1 and 1.2)? If so, this information is for you.

What is SSL and TLS?

Secure Socket Layer (SSL) and Transport Layer Security (TLS) are cryptographic protocols that are used to secure transmissions between two systems. Typically, in a website setup the “two systems” are the web server and a client web browser on a client device. To put this more simply, the browser and client are things such as Chrome, Internet Explorer, Firefox or Safari browsers on a computer, tablet or mobile phone. To a general user, this is visible in the browser address bar when it lists the address as HTTPS://… or has the “key” or “lock” icon in the browser.

SSL is an older protocol that that was developed in the 1990’s. The last release of SSL, version 3.0 was released in 1996. Due to numerous vulnerabilities, SSL in any version is no longer considered secure as of 2014.

TLS has replaced SSL in all forms. TLS 1.0 was released in 1999 and there have been two subsequent updates (TLS1.1 in 2006 and TLS1.2 in 2008). A new release, TLS 1.3 is pending with a release date to be announced. Like SSL 3.0, TLS 1.0 is considered unsecure and should not be used. Of all the versions, SSL 1-3 and TLS 1-1.2, systems should only be using TLS 1.1 and 1.2 with 1.2 preferred.

More information about SSL and TLS can be found here.

What is the big deal with June 30, 2018?

In April of 2015, after recognition that all versions of SSL and TLS1.0 were vulnerable to attacks (e.g. POODLE), the Payment Card Industry (PCI) released new Data Security Standards (DSS) that declared these versions of cryptographic protocols to be unsecure. They identified that systems processing credit cards, after December 30, 2015, would no longer be ‘compliant’ if they ran one of the older cryptographic protocols.

When companies began to modify their webservers to only allow the client browsers to connect to them with compliant cryptographic protocols (TLS 1.1 and 1.2), many website operators found that customers could not connect to their websites. This was due to about 5-7% percent of computer users still using older browsers that could not support the newer cryptographic protocols. The problem and backlash was significant enough that the PCI direction was revised to terminate the use of older SSL and TLS by June 30, 2018.

It is estimated that currently 2-4% of computer browsers are still not capable of communicating on authorized cryptographic protocols of TLS 1.1 or 1.2.

What can I do about this?

In order for a website operator to claim or be ‘PCI Compliant’ while using older SSL and TLS 1.0 between December 30, 2015 and June 30, 2018, they would have to had submitted a mitigation and migration plan to a PCI Authorized Scanning Vendor (ASV) on a quarterly basis. After June 2018, ASV’s will no longer accept mitigation and migration plans as an exception. Companies that are not compliant by June 30, 2018 will no longer be compliant or allowed to claim compliance.

Leading security experts, including the U.S. Federal National Institute of Science and Technology (NIST) state that there are not any fixes or patches that can be applied to SSL or TLS1.0. The only option to correct this problem is to upgrade to TLS1.1 and or 1.2.

To conduct an upgrade, server side changes must be made that disable the ability of the server to fallback to SSL or TLS1.0. Those companies that desire to be PCI compliant or process credit cards, must modify their web servers and other secure connections to only permit the cryptographic protocols of TLS 1.1 and 1.2.

You may be asking yourself how to do this? The process is not hard. You could do the steps yourself  based upon your internal policies and processes from vendors such as Microsoft. Alternatively, as a managed services customer, DataBank support teams can assist  you with the upgrade. If you desire to do the upgrade, simply submit a ticket requesting the services with the subject line “Request for Upgrade to TLS 1.1 / 1.2”,

Is there a risk of not upgrading?

Yes, there is a risk that your website communications are no longer secure and an attacker could be snooping in on the communications between you and your customers.

You may be asking yourself, if DataBank has an IPS and other multiple layers of security in place, how could an attacker snoop on communications? It is true that we have in place numerous layers of security. However, we cannot reach into the location of the client such as their home, a coffee shop or even on the train on the way to work. A favorite location for snoopers are public transportation, restaurants and snack/coffee shops where they use the free WiFi connections and intercept communications. Their intent is to steal confidential data such as a credit card data and reuse it.

Another risk is that if you are no longer compliant with PCI requirements. If you are no longer compliant and continue to operate, you may be fined by PCI for failing to take precautions.

Is there a risk in upgrading?

Yes. When you upgrade to TLS1.1 and 1.2 and prevent browsers that cannot communicate on these protocols from connecting to the web server, the customer using this type of browser will fail to reach  your site or connect. Currently, it is estimated that 2-4% of the world population has these non-compliant browsers. Non-compliant browsers are typically on older operating systems such as Windows XP and most typically outside of the United States.

Unfortunately, there is not a way to intercept an attempted communication between a lesser browser and your web server to redirect them to a site that instructs an upgrade. The connection will fail and there is not an alternate to that function.

What Should I do?

If you desire to remain compliant with PCI-DSS and other similar compliance standards, you must complete the upgrade by June 30, 2018. If you need assistance, contact our support team for assistance.

Go back