On June 30 2018, server clients who use the encryption protocol Transport Layer Security (TLS) v1.0, to protect their site’s data, will be required to disable and upgrade to TLS v1.1 or above. Clients who do not comply with this deadline will be in breach of the new PCI DSS Requirements as agreed by the PCI Council.
If you are unsure as to why this ruling has been made and what you can do regarding your use of TLS v1.0, here is everything you need to know about the ruling, why it has been made and the next steps to take to ensure your site data is protected.
Why is TLS v1.0 no longer secure?
In 2014, The Padding Oracle On Downgraded Legacy Encryption (POODLE) bug was discovered within TLS v1.0’s predecessor, Security Sockets Layer (SSL) v3.0. The POODLE bug is a design flaw that allows hackers to block and expropriate data transmitted between a browser and a web server that uses SSL v3.0 to encrypt data, leaving sensitive information exploitable for fraud and other purposes.
A similar fault was identified within TLS v1.0 just months later, which potential hackers could use to force a downgrade from the TLS protocol to SSL v3.0, and then intercept data via the POODLE bug. The only way to ensure these actions were prevented was to block the ability to downgrade. Clients were thus advised by their server providers to disable SSL completely, or in some cases not given the choice (e.g. if the client’s site accepted credit cards). This means that since 2014, SSL v3.0 and TLS v1.0 have not been adequately secure encryption protocols with which to protect sensitive site data.
Due to many site users worldwide not using compatible browsers and operating systems with secure encryption protocols such as TLS v.1.1 and above, there are clients that remain vulnerable to attack. This may be because they have not been legally required to disable TLSv1.0 as of yet, or because they do not handle any form of payment processing or similar types of highly sensitive data, such as medical records. It could also be because they have a high proportion of site traffic from users on older browsers and/or operating systems, who will not be able to access their site if they were to upgrade to a more secure encryption protocol.
With the deadline to disable and upgrade now in place, it is crucial that clients implement correct data encryption measures for the security of their users. We will be disabling v1.0 and v1.1 as most clients that implement v1.1 also implement v1.2 and 1.2 is the recommended version for all new implementations.
Which browsers and operating systems will no longer be compatible with servers due to disabling TLS v1.0 and v1.1?
Disabling TLS v1.0 and v1.1 will block server access from a number of browsers and operating systems.
The minimum versions of browsers – both mobile and desktop – that will still be operable on TLS v1.2 are:
• Google Chrome 30
• Mozilla Firefox 27
• Internet Explorer 11
• Microsoft Edge
• Safari 7
The minimum versions of operating systems – both mobile and desktop – that will still be operable on TLS v1.2 are:
• Microsoft Windows 7
• Windows Phone 8.1
• Mac OS 10.9
• iOS 5
• Chrome OS
• Firefox OS
• Android 4.0
It is recommended that clients upgrade to the latest operating systems and browsers to ensure ongoing support.
What are we doing at catalyst2?
We will be leaving TLS v1.0 and TLS v1.1 enabled until the 30th May, after which point they will be disabled on all servers. This only impacts connections that use an SSL i.e. https on a webmail or email via a secure connection.
Help! I don’t know if my site will support it.
If you are not sure whether or not your site will work / clients will be able to access your site under TLS v1.2 then please contact us and we can help you work this out.
If your site sends data to any 3rd party sites (such as payment processors) you should check they will support TLS 1.2 so this continues to function after the change. Most payment processors have already updated as it is a requirement of them being PCI compliant.
What are the chances of my site supporting TLS v1.2?
If you are using an off the shelf piece of software e.g. WordPress or Magento or similar that is running the latest version then it will very likely just work and you shouldn’t have any issues.
What are the red flags that I may have an issue with TLS v1.2?
If you have clients that are using Windows XP / older browser or old technologies then that could well be an issue. If you are using custom written code that has not been updated in years that may also cause an issue.
Will this impact my emails?
If you are using an old email client then yes, you may have a problem, so we would recommend updating to the latest version of your email client.