Good-bye SSL. Welcome TLS!

Looks like the Secure Sockets Layer protocol will be retired soon.

A new revision of the PCI-DSS and PA-DSS will be released soon, which seems to set apart the SSL from the list of "strong cryptography" components. Thus, the TLS protocol is been set as the new standard for creating secure channels to encrypt data in transit, as the protocol to connect client and server when using asymmetric encryption.

We all know that the POODLE attack has played a big role on this change, and who knows what else could happen next while most of the users are still using the TLS 1.0?

It is worth pointing out that the cryptographic algorithms are fairly secure when used with good key lengths, such as AES 128b, RSA 2048b, hashing with SHA-256 or above, or even better when the Elliptic Curve Cryptography (ECC) algorithms are implemented. However, the security flaws mostly reside on the protocols and cipher suites implementations. That’s why the SSL protocol poses a serious risk to ensure confidentiality and integrity of data being transferred between two hosts.

Looks like the draft version of TLS v1.3 will gain more visibility than ever before, and the CA/B Forum will raise more discussions between CAs and Browser vendors (Microsoft, Mozilla, Apple, Google) to define the new official standard/recommended/preferred protocol to provide communications security over the Internet.

Talking about TLS v1.3, it will also implement the One Round Trip Time (1-RTT) handshake, where the client sends the “ClientKeyExchange” message with the client’s cryptographic parameters for key establishment, and that happens even before any cipher suite is negotiated between client/server. Thus, the server can calculate the keys for encryption/authentication before the first packet is sent. Anyway, this is a subject for another post.

The fact is that in a close future, we will have the SSL protocol disabled/removed from our servers and workstations, network devices and appliances, and the TLS being added into the industries security standards and guidelines such as the PCI-DSS, NIST SPs and FIPS, CA/B Forum Baseline Requirements, and others.

Let’s be tuned.

Helping on protecting society, the commonwealth, and the infrastructure.

Links:

PCI Security Standards Council: https://www.pcisecuritystandards.org

CA/Browser Forum: https://cabforum.org

TLS 1.3 - Draft Document: https://tools.ietf.org/html/draft-ietf-tls-rfc5246-bis-00

Alert (TA14-290A) - SSL 3.0 Protocol Vulnerability and POODLE Attack: https://www.us-cert.gov/ncas/alerts/TA14-290A