PCI Gateway: Fim do suporte ao TLS 1.0 e 1.1

por: André Uchôa   November 23, 2015 14:17 em Engineering

Devido a vulnerabilidades encontradas em versões mais antigas do protocolo TLS, e afim de manter a conformidade com os padrões definidos no PCI DSS, a VTEX descontinuará, no PCI Gateway, a partir do dia 21/11/2015, o suporte às versões anteriores à 1.2 do TLS segundo o seguinte cronograma:

21/12/2015: Fim do suporte ao TLS 1.0, realizado 07/04/2016

31/05/2016: Fim do suporte ao TLS 1.1

Sistemas que interagem com a API do PCI Gateway devem estar atentos à negociação de conexão HTTPS, para garantir que são capazes de utilizar os protocolos mais recentes dentro dos prazos definidos, de forma a evitar a descontinuidade de seus processos.

 

Technical Details
 

SSL and TLS 1.0 No Longer Acceptable for PCI Compliance

Last month, the PCI Council released version 3.1 of their Data Security Standard (DSS). While most of the changes in this minor release are clarifications, there is at least one significant update involving secure communication protocols. The Council has decided that SSL and TLS 1.0 can no longer be used after June 30, 2016.

The fine print about these two protocols can be found under DSS Requirement 2.0: “Do not use vendor-supplied defaults for system passwords and other security parameters”.

I guess the ancient Netscape-developed SSL (Secure Socket Layer) and TLS (Transport Layer Security) are considered other security parameters.

RIP SSL

In any case, the Council is responding to the well-known POODLE exploit in SSL as well as NIST’s recent conclusions about SSL. As of April 2014, they proclaimed that SSL is not approved for use in protecting Federal information.

Unfortunately, you’ll need a brief history lesson to understand the role of TLS.

Developed in the 1990s by the IETF folks, TLS version 1.0 was based heavily on SSL and designed to solve compatibility issues—a single, non-proprietary security solution. Then a series of cryptographic improvements were made for TLS 1.1 and the current 1.2.

One key point is that TLS implementations support a downgrade negotiation process whereby the client and server can agree on the weaker SSL protocol even if they opened the exchange at the latest and greatest TLS 1.2.

Because of this downgrade mechanism, it was possible in theory to leverage the SSL-targeted POODLE attack to indirectly take a bite out of TLS by forcing servers to use the obsolete SSL.

Then in December 2014, security researchers discovered that a POODLE-type attack could be launched directly at TLS without negotiating a downgrade.

Overall, the subject gets complicated very quickly and depending on whom you read, security pros implicate browser companies for choosing compatibility over security in their continuing support of SSL or everyone for implementing the TLS standard incorrectly.

Abs

Gostou? Estamos contratando!