PCI Gateway: Fim do suporte ao TLS 1.0 -1.1

por: Carlos Acevedo   March 14, 2017 15:42 em

[Atualização POST] http://lab.vtex.com/blog/pci-gateway-fim-…-tls-1-0-e-1-1-2/

Por conta da alta incompatibilidade ainda dos browsers, o cronograma de desabilitação daquelas versões do TLS passou para 2018. Que, portanto, o fim do suporte ao TLS 1.1 na VTEX está programado assim:

Cronograma:

31/06/2018:  Fim do suporte ao TLS 1.0

31/06/2018:  Fim do suporte ao TLS 1.1

 

Compradores com versões mais antiga de Sistemas Operacionais, como Windows 7 sem atualizações, e aqueles que utilizam navegadores antigos como o Internet Explorer poderão ser afetados por essa atualização de segurança.

A tabela a seguir contém o requisito mínimo de navegadores para suportar os novos protocolos de segurança:

 

Technical Details
 

SSL and TLS 1.0 No Longer Acceptable for PCI Compliance

Last month, the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols. The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.

The fine print about these two protocols can be found under DSS Requirement 2.0: “Do not use vendor-supplied defaults for system passwords and other security parameters”.

I guess the ancient Netscape-developed SSL (Secure Socket Layer) and TLS (Transport Layer Security) are considered other security parameters.

RIP SSL

In any case, the Council is responding to the well-known POODLE exploit in SSL as well as NIST’s recent conclusions about SSL. As of April 2014, they proclaimed that SSL is not approved for use in protecting Federal information.

Unfortunately, you’ll need a brief history lesson to understand the role of TLS.

Developed in the 1990s by the IETF folks, TLS version 1.0 was based heavily on SSL and designed to solve compatibility issues—a single, non-proprietary security solution. Then a series of cryptographic improvements were made for TLS 1.1 and the current 1.2.

One key point is that TLS implementations support a downgrade negotiation process whereby the client and server can agree on the weaker SSL protocol even if they opened the exchange at the latest and greatest TLS 1.2.

Because of this downgrade mechanism, it was possible in theory to leverage the SSL-targeted POODLE attack to indirectly take a bite out of TLS by forcing servers to use the obsolete SSL.

Then in December 2014, security researchers discovered that a POODLE-type attack could be launched directly at TLS without negotiating a downgrade.

Overall, the subject gets complicated very quickly and depending on whom you read, security pros implicate browser companies for choosing compatibility over security in their continuing support of SSL or everyone for implementing the TLS standard incorrectly.