Skip to the main content.
Contact
Contact

2 min read

Sunset of SSL Extended

Sunset of SSL Extended

If you’ve been struggling with keeping up with various SSL vulnerabilities and planning an orderly cutover to TLS then the recent announcement by the PCI Council has extending the sunset date for the transition from SSL to TLS 1.1 and 1.2 should come as welcome relief.

SSL the ever ubiquitous security hallmark of the Internet age is proving to be more difficult to retire than previously thought.  And like the protesting peasant in Monty Python’s “Bring Out Your Dead” sketch it does not want to go quietly into the night.

The newly updated mandate still requires that organizations are able to support TLS 1.1 or 1.2 by June 2016 but allows up to an additional two years for organizations to complete the sunset of SSL.  This allows organizations to support the stronger protocols where it can be used and to work through legacy connections in a more orderly fashion. The exemption for POI devices that can be shown to have secure use cases remains in place.

The council has prepared several communications including a blog article, a press release, and webinar that our own David Gamey participated in as a subject matter expert.

This decision was based on significant feedback from industry and security experts that considered factors such as the availability of TLS 1.1 and 1.2 in deployed solutions, a variety of different SSL use cases, contractual and logistical limitations, and risk.

  • Browsers using SSL are still the highest risk.
  • Non-browser applications, such as business to business connections, will need to be evaluated on their use cases.
  • POIs are generally the lowest risk.

Let’s be clear SSL as a general purpose security protocol is broken and the continued effort to nurse it along and deal with the security or insecurity numerous special use cases is simply unsustainable.  SSL (and TLS 1.0) need to be replaced as quickly as possible and applications which can’t be easily replaced need to be evaluated and prioritized.  This extension allows organizations to do precisely that.

Some Other References:

Why Organizations Need to Become Crypto-Agile and What that Means

Why Organizations Need to Become Crypto-Agile and What that Means

Cryptographic change is a reality. Since 2006, we have seen the sunset of WEP, SSLv2, RSA-1024, SSLv3 and early TLS. We know that Triple DES and...

Read More
PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates

PCI Security Standards Council set to kill off SSL in PCI DSS/PA-DSS 3.1 updates

The PCI council has released an announcement that they are preparing an updated version of the PCI DSS (v3.1) and PA-DSS (v3.1), where they will be...

Read More
NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe

7 min read

NIST Moves on Sweet32 - 3DES, Blowfish, and Others - Mostly Unsafe

Now is the time to stop using 64-bit block length ciphers such as 3DES (TDEA) and Blowfish in general purpose applications of cryptography. In 2016,...

Read More