In this article :
1. What is SSL and TLS?
SSL stands for Secure Sockets Layer while TLS stands for ‘Transport Layer Security’. Sounds intimidating? Simply put, they are the most widely deployed security protocol used today that provide privacy and data integrity to keep your data safe.
The terms SSL and TLS are often used interchangeably or in conjunction with each other (TLS/SSL), but one is in fact the predecessor of the other — SSL 3.0 served as the basis for TLS 1.0 which, as a result, is sometimes referred to as SSL 3.1 (LuxSci, 2017).
2. What are the differences?
SSL 3.0 is getting very old and recent developments, such as the POODLE vulnerability have shown that SSL 3.0 is now completely insecure (especially for web sites using it). While TLS 1.0 has had its share of vulnerabilities, and more and more organizations are begin to turn this off as a choice for negotiation of encryption between client and server. Image below shows the release year and the version launched for SSL and TLS.
3. What are the changes?
SSL and TLS have been among the most widely-used encryption protocols for the past 20 years, and still, remain in widespread use today despite existence of a number of uncovered security vulnerabilities.
As mentioned by National Institute of Standards and Technology (NIST), there are no solutions which can adequately repair SSL or early TLS. As a result, it is critically important for organizations to upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS in order to meet the Payment Card Industry Data Security Standard (PCI DSS) for safeguarding payment data.
4. What does it mean to me?
Anyone still using SSL and TLS 1.0 or below will fail the PCI standards and therefore will not be allowed to make credit card payments online. You can get to read the PCI DSS standards in full here.
In fact, the original date issued for migration completion was due April 2015. However, The Payment Card Industry Security Standards Council (PCI SSC) is extending the date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher). In this sense, EasyStore's merchants and customers may experience difficulties accessing to EasyStore website starting from 1 May 2018.
5. What are the risks?
SSL and TLS 1.0 are vulnerable to man-in-the-middle attacks, risking the integrity and authentication of data sent between a website and a browser. Disabling SSL and TLS 1.0 support on your server are sufficient to mitigate this issue.
Man-in-the-middle attacks: A type of cyber attack where the attacker inserts him/herself in the communication between two parties (people or systems) without either of them being aware of it and relays the communication between them. As the attacker has complete access to communication, he/she can intercept, eavesdrop, or alter the information, and then send and receive communication to/from the two parties.
After the disablement of SSL and TLS 1.0, any inbound connections to or outbound connections using the protocol will not be accepted. All users are therefore strongly encouraged to configure their servers to support TLS 1.1 or above.
6. What can I do?
If you know that you are using the most up to date web browser than you are most probably OK, however there are a few online tools that you can use to check your browser security such as: https://www.howsmyssl.com. Kindly refer to the inline image below for reference:
If you find that your browser is not secure, then you need to check to see if you have the latest version installed or alternatively switch to a different browser that provides support for TLS 1.1 and above.
Below is a list of popular browsers and the versions that support TLS 1.1 and above.