Editor’s note: This story was updated April 15 to reflect the publishing of PCI-DSS 3.1 and clarifications of some of the deadlines for phasing out SSL.
A core technology that has been trusted as the standard of safe online transactions since the dawn of e-commerce is soon to fall into a state of non-compliance, requiring online storefront operators everywhere to make updates if they want to continue taking credit card payments.
It was just over a year ago that the Heartbleed vulnerability became one of the biggest cybersecurity stories of all-time. The exploit took advantage of an open source SSL encryption method used by an estimated two-thirds of all websites, including many popular Canadian sites. Its impact caused the Canada Revenue Agency to extend the timeline for filing taxes, had businesses scrambling to apply patches and had many Canadians resetting their passwords. At the heart of the exploit was a trick devised by hackers to fool a server into transacting with them as an old web browser, thereby requiring an encryption method that was made obsolete in 1999. The hackers could then crack the encryption and gain access to the server.
Heartbleed was just the first of a volley of attacks at the aged SSL. Finally, late last year the U.S. National Institute of Standards and Technology declared it was no longer a strong method of encryption.
Now the Payments Card Industry Security Standards Council is making sure that sort of attack can’t happen again. In early March, the council released its plans to update the Data Security Standards (DSS) compliance code to disallow transactions using the SSL 3.0 or earlier protocol. Instead, those wishing to accept credit card or debit card payments online will need to use at least TLS 1.0 encryption, the protocol that superseded SSL all the way back in 1999.
“The sky is not falling,” assures Don Brooks, a senior security engineer at Trustwave, a Chicago-based security vendor. “No one is going to have to change the way they’re doing business.”
Any modern e-commerce business will already be working with the new TLS encryption, as it is relied upon by modern browsers to encrypt transactions. Now they just have to turn off the SSL encryption they supported for fringe-case scenarios where someone using an old browser tries to make a purchase.
Modern browsers, including Chrome, Internet Explorer, and Mozilla Firefox will respond with an error if a server attempts to do a virtual handshake using SSL encryption, explains Bruce Morton, steering committee member of the Certificate Authority (CA) Security Council and product manager with Entrust. The council is made up of the world’s leading Certificate Authorities, the organizations that develop technology that enable a web server to verify a secure connection with the client – most of it recognize it by the padlock icon in our web browsers.
“We push our customers hard to stop supporting [SSL] 3.0 and start supporting TLS,” he says. “You’ll be supporting a bad protocol for people that never upgraded from IE6.”
By virtue of its being an industry standard for more than a decade, expunging SSL from every server will take some work from the IT teams of many retailers. The live survey data provided by the Trustworthy Internet Movement shows that about 42 per cent of the Internet’s most popular sites currently support the SSL v3.0 standard, and 13 per cent also support the SSL v2.0 standard. More than a year after Heartbleed’s release, there are 432 sites vulnerable to it still.
“Some of them are old,” Morton says. “They were set up years ago and they’ve never once went in to change the protocol.”
Editing a file on your server operating system is what’s required to turn it off, something that both Apache and Microsoft offer documentation on how to achieve, Brooks says. While it won’t be until June 2016 that those supporting SSL encrypting will actually be non-compliant, it’s a good idea to make the changes as soon as possible. Also, no new implementations of SSL can be made as of April 15.
“We’re surprised we have an update this quick with PCI. I think people should take that as an indication of how serious this is,” he says. “Do something as soon as you can, because there are active exploits out there floating around.”
The good news is there are open source tools available to use in a systems audit to find out if SSL support still exists on your servers.
- Google provides SSLAudit, which can be used to verify SSL certificates and offers a security grade.
- The Open Web Application Security Project offers guidelines on conducting testing for SSL / TLS compliance.