ssl-farewell

On 15th April, PCI became 3.1 versions old.

The ‘dot’ 1 from the version 3 that was just released around a year ago seeks to address the myriad of issues stemming from the old and dignified SSL protocol.

Ah, SSL. How I will miss thee. SSL itself had undergone its own transformation from a little protocol used by a little firm called Netscape to be one of the most used transmission protocol in the history of the entire universe. OK, that’s a little overstating it, but this is like the god father of Transmission Protocols. It’s like Don Vito’s father’s father. I will probably write another Ode to this wonderful protocol in another article, but suffice to say, SSL is no longer allowed in PCI. If Heartbleed hurt the protocol, POODLE killed it.

A lot of systems support both SSL 3.0 and TLS 1.0 in their default configuration. Newer software may support SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2. In these cases the software simply needs to be reconfigured. Extremely older software, dated back to the days when the T-Rex was still alive, may only support SSL 2.0 and SSL 3.0. This is an extremely rare sighting, and is often considered on par as the sighting of the Yeti himself.

On a more serious note, anyone still on SSL, even version 3.0 should consider migrating now to more secured protocols, such as TLS1.2. Like WEP, SSL and early versions of TLS will no longer be acceptable by PCI-DSS. The changes are requirement 2.2.3, 2.3 and 4.1. Current reviews for PCI will no longer accept these protocols. Passed certifications will be given a grace period until June 30th 2016 to change these protocols. Just use TLS1.2 and above (I know, you argue TLS1.1 is still secured, and it is, and it still can be used, so if you are using 1.1, then stick with it, else, might as well upgrade to 1.2)

OK, goodbye SSL and thanks for all the fish!