SSL is dead. Long Live SSL - Cognia - ContactCenterWorld.com Blog
The PCI Security Standards Council is poised to announce formally that Secure Sockets Layer (version 3.0) is no longer considered strong encryption standard in PCI DSS 3.1, which is mandated under the requirements [2.3, 3.4, 4.1].
To many people this is a worrying thing to read, because SSL secures the internet..doesn’t it?
Well the short answer is no, and the long answer is still no, but explains that the reason for this conception is that IT Technical, and Security consultants have been using the wrong terminology, as in most cases when we say SSL we mean HTTPS, and even when are talking about SSL, we probably mean TLS anyway.
SSL is a transport encryption mechanism for encrypting the flow of information between two systems, and is based on asymmetric cryptography and relies on x.509 certificates.
The problem is that a number of issues and vulnerabilities have been discovered with the early implementations of SSL, resulting in the last iteration of version 3.0 (introduced in 1996). Whilst this provides enhancements over previous generations, many security professionals have been advocating the move to its successor “Transport Layer Security”.
September 2014 sounded the death knell for SSLv3.0 when the POODLE vulnerability was disclosed sealing the fate of the 18 year old protocol as a safe method of securing internet communications.
Many system administrators had long since moved to TLS, and thus the impact of POODLE was nowhere near as significant as Heartbleed or Shellshock, but was a reminder for security teams to double check that SSL really was disabled once and for all on their servers.
Of course cryptography experts will tell you that the transport protocol is only half of the story. A equally important decision is the selection of the ciphers used with TLS communications.
Ciphers are the arithmetic algorithms used to generate the encrypted material, and a number of other less well known vulnerabilities such as BEAST in 2011. For several years the mitigation for beast was to use the RC4 ciphers, until in mid 2013 this too was found to be weak.
Computer security moves fast, and as the last 24 months have shown, software systems long relied on for privacy and security are starting to be scrutinised more and more, particularly with the realisation that state sponsored actors may also have undisclosed methods to intercept vast swaths of internet traffic.
This is good news for consumers as it only furthers the security of the internet, but for merchants the constant need to stay up to date with the latest protocols and cipher sets is a complication and expense, which may sometimes be overlooked.
By leveraging a platform such as the Cognia Cloud the burden is greatly lessened as our dedicated security and systems teams get their ‘geek on’ ensuring the services are always secured using the industry leading protocols, algorithms and certificates.
If you want to understand about our approach to security, and our ability to respond to threats and vulnerabilities contact email@example.com.
Publish Date: February 23, 2015 5:00 AM
|All Suppliers||Get Listed|
(VIEW OUR PAGE)
CTI Software is the creator of custom application called Davos, which complements the telephone client solutions with intelligent features such as automated call attendant, call recording and archivin...
|PREMIUMFuture Gen International Pte Ltd|
(VIEW OUR PAGE)
Outsourcing provider of English Call Centre services, Audio Transcriptions, Big Data ETL (Extract, Transform, Load) , Big Data Visualization, Big Data Predictive Model Generation
(VIEW OUR PAGE)
Аутсорсинговый контакт-центр ConceptCall| КонцептКолл специализируется на исходящем и входящем телемаркетинге: мы предоставляем услуги по осуществлению холодных звонков и продажи по телефону, проводим...
View more from Cognia
Recent Blog Posts:
|The hidden costs of pause and resume payment processing||March 30, 2016 5:00 AM|
|Cloud vs Onsite – 6 ways cloud beats on-premise infrastructure for contact center operations||August 13, 2015 5:00 AM|
|10 Reasons why contact centres are embracing the cloud||July 10, 2015 5:00 AM|
|The risks of payment card fraud and data breaches haunt contact centre managers||May 20, 2015 5:00 AM|
|Counting the costs of a contact centre data breach (and how to minimise your risks)||April 10, 2015 5:00 AM|
|How can you cope with new PCI DSS 3.0 requirements?||March 16, 2015 5:00 AM|
|PCI DSS compliance without the hassle and risk||March 6, 2015 5:00 AM|
|SSL is dead. Long Live SSL||February 23, 2015 5:00 AM|
|The journey of a PCI-DSS compliance project – Part One||February 9, 2015 5:00 AM|
|Breach, Brand and 5 things we know about PCI for 2015||January 27, 2015 5:00 AM|