Are you ready to say goodbye to SSL/early TLS?

30 June 2018 is the deadline for disabling Secure Sockets Layer/early Transport Layer Security (SSL/early TLS) and implementing a more secure encryption protocol in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data. In addition, according to NIST (National Institute Of Standards And Technology), there are no fixes or patches that can repair SSL or early TLS (NIST SP 800-52 Rev. 1).

For over 20 years Secure Sockets Layer (SSL) has certainly been one of the most widely used encryption protocols ever released to date, and remains in widespread use today despite various security vulnerabilities exposed in the protocol. SSL v3.0 was superseded in 1999 by TLS v1.0, which has since been superseded by TLS v1.1 and v1.2. To date, SSL and early TLS no longer meet minimum security standards due to security vulnerabilities in the protocol for which unfortunately, there are no fixes. It is extremely important that everyone upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS. SSL/early TLS was removed as an example of strong cryptography in PCI DSS v3.1 (April 2015). Organizations which use SSL/early TLS are greatly increasing their attack surface what can lead to breaches and have a serious business consequences.

If you haven’t already started working on migration plans, PCI SSC (Payment Card Industry Security Standards Council) has a great SSL Migration Guideline available here.