12/21/15 Update: The PCI SSC is extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher). Learn more here.
4/15/15 Update: The PCI SSC released PCI DSS v3.1 on its website today. The Council also released a helpful information supplement, “Migrating from SSL and Early TLS” here.
The PCI Security Standards Council (PCI SSC) recently announced the pending release of PCI DSS v3.1—a “dot” release of PCI DSS 3.0, the version that just went into full effect on January 1, 2015.
What prompted such an unusually quick follow-on to the recent major update? Some clarification was certainly expected, given that PCI DSS 3.0 involved substantial changes to the Self-Assessment Questionnaires (SAQs). However, the major driver of PCI DSS 3.1 is the broader industry’s conclusion that SSL version 3.0 is no longer a secure protocol and therefore must be addressed by the PCI DSS.
What happened to SSL?
The last-released version of encryption protocol to be called “SSL”—version 3.0—was superseded by “TLS,” or Transport Layer Security, in 1999. While weaknesses were identified in SSL 3.0 at that time, it was still considered safe for use up until October of 2014, when the POODLE vulnerability came to light.
With the advent of POODLE (which stands for “Padding Oracle On Downgraded Legacy Encryption”), SSL 3.0 is quickly becoming deprecated, i.e., unapproved for use. Whereas Heartbleed was a flaw in OpenSSL (a software library which implements SSL/TLS), POODLE is a flaw in the SSL 3.0 protocol itself, so it’s not something that can be fixed with a software patch.
So what does this mean?
The bottom line is that if any of your business software is running SSL 3.0 (or SSL 2.0), then you need to reconfigure or upgrade.*
*Most SSL/TLS deployments support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured. Older software may only support SSL 2.0 and SSL 3.0 (if this is the case, it is time to upgrade).
How do I know where my business is using SSL/TLS and if so, which version?
SSL/TLS is the most widely deployed encryption protocol. It is used in almost every application to ensure confidentiality whenever we need to transmit sensitive or secret information across an insecure medium (such as transmitting your password or other sensitive personal information over a network or the Internet.)
The most common use of SSL/TLS is to secure websites (HTTPS), though it is also used to:
- Secure email in transit (SMTPS or SMTP with STARTTLS, IMAPS or IMAP with STARTTLS)
- Share files (FTPS)
- Secure connections to remote databases and secure remote network logins (SSL VPN)
You can identify which SSL/TLS versions are enabled in your business by contacting the vendors for each of the functionalities above. Alternatively, internal and external vulnerability scans will also identify unsecure implementations of SSL.
Machines running Windows XP should throw off all kinds of red flags. Not only is Windows XP a non-supported operating system, running Internet Explorer or non-upgraded versions of other browsers is an open invitation to hackers looking for SSL 3.0 exploit opportunities.
So what to do?
As mentioned above, your action steps will be based upon the need to upgrade or simply reconfigure. Some businesses may find the need to upgrade one piece of software and reconfigure another.
- For Upgrades: Contact the software vendor to purchase the latest version. During implementation, be sure to configure the software for the highest version of TLS available. (Even modern software will support SSL 3.0 out of the box, because it was still considered safe prior to October.)
- For Reconfigurations: All you have to do is configure the software to disable SSL 3.0. Instructions on how to do this can usually be found on the vendor’s website or various help forums and blog posts on the Internet. The process will be different for each piece of software that you use.
And, once you’ve accomplished the above:
- If major changes were made in your business IT environment, use the PCI DSS as a checklist of security measures to take, such as conducting a new penetration test and performing internal and external vulnerability scans to ensure no obvious, critical vulnerabilities are present.
- Be vigilant in keeping up to date with transport-layer security. New versions continue to come out as vulnerabilities are discovered. Make use of the “automatic update” feature present in popular browsers such as Internet Explorer, Chrome and Firefox.
- Note that you’ll continue to see the term “SSL” widely used because it is the name of the type of certificate that is exchanged, even under the newer TLS versions.
Don’t wait for the PCI Council to mandate it, because it’s in your best interest to make the necessary changes now! Click here to request more information or give ControlScan a call at 800-825-3301, ext. 2. We’re happy to help.
The release of PCI DSS v3.2 is imminent.
Check out our latest post on PCI DSS v3.2,“What’s New in PCI DSS 3.2?” to learn more.
Subscribe to this blog for additional tips and webinar announcements.