SSL and TLS: Should You Believe the Hype?

Is your business using outdated SSL and TLS versions?

Many businesses are using outdated SSL and TLS versions as a security control because the software they're running still supports it. But experts warn that these protocol versions, including SSL 2.0, SSL 3.0 and TLS 1.0, are no longer secure and therefore require action on the business's part. In fact, certain compliance standards, such as the PCI DSS, will soon require that businesses remove all instances of the SSL and early TLS encryption protocols from their IT environments.

But should you believe the hype? And how quickly must you really take action?

The last-released version of encryption protocol to be called “SSL”—version 3.0—was superseded by “TLS,” or Transport Layer Security, in 1999. While weaknesses were identified in SSL 3.0 at that time, it was still considered safe for use up until October of 2014, when the POODLE vulnerability came to light.

With the advent of POODLE (which stands for “Padding Oracle On Downgraded Legacy Encryption”), SSL 3.0 is quickly becoming deprecated, i.e., unapproved for use. Whereas Heartbleed was a flaw in OpenSSL (a software library which implements SSL/TLS), POODLE is a flaw in the SSL 3.0 protocol itself, so it’s not something that can be fixed with a software patch.

So, yes, if any of your business software is running SSL 3.0 (or SSL 2.0), then you need to reconfigure or upgrade ASAP.

You can identify which SSL/TLS versions are enabled in your business by contacting your POS and software/application vendors. Alternatively, internal and external vulnerability scans will also identify unsecure implementations of SSL within your IT network.

Most SSL/TLS deployments support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured.

Older software may only support SSL 2.0 and SSL 3.0. If this is the case, it is time to upgrade.

So what to do?

As mentioned above, your action steps will be based upon the need to upgrade or simply reconfigure. Some businesses may find the need to upgrade one piece of software and reconfigure another.

• For Upgrades: Contact the software vendor to purchase the latest version. During implementation, be sure to configure the software for the highest version of TLS available. (Even modern software will support SSL 3.0 out of the box, because it was still considered safe prior to October.)
• For Reconfigurations: All you have to do is configure the software to disable SSL 3.0. Instructions on how to do this can usually be found on the vendor’s website or various help forums and blog posts on the Internet. The process will be different for each piece of software that you use.

And, once you’ve accomplished the above...

If major changes were made in your business IT environment, use the PCI DSS as a checklist of security measures to take, such as conducting a new penetration test and performing internal and external vulnerability scans to ensure no obvious, critical vulnerabilities are present.

Be vigilant in keeping up to date with transport-layer security. New versions continue to come out as vulnerabilities are discovered. Make use of the “automatic update” feature present in popular browsers such as Internet Explorer, Chrome and Firefox.

Note that you’ll continue to see the term “SSL” widely used because it is the name of the type of certificate that is exchanged, even under the newer TLS versions.

Need help understanding the implications to your business environment?

Subscribe to this blog for additional tips and webinar announcements.