Skip to comments.Are you ready for June 30th's PCI deadline? Say hello to TLS v 1.2
Posted on 05/29/2018 6:48:37 AM PDT by Texas Fossil
The PCI Security Standards Council, the body governing credit card transactions, has set a deadline for disabling early versions of TLS/SSL to June 30, 2018. What are these technologies? TLS (Transport Layer Security) and SSL (Secure Sockets Layer) are fundamental to internet transport security. Early versions are still fairly common in older infrastructure. Not updating to the newer versions by the deadline could cause your organization to incur a major fee and potentially halt taking credit card transactions.
Lets take a step back and lay some groundwork. TLS and its predecessor SSL are a set of protocols used to provide secure communications over the internet between one device and another. It is the S in HTTPS. Each revision defined a set of cryptographically secure methods to establish and maintain communication. New versions were released as issues with the previous versions were found. Older versions have become less secure as computers have become faster and can break the encryption more efficiently.
The current version TLS 1.2 was published 10 years ago, and TLS 1.3 was recently published and should become an official standard later this year. The PCI Council set a deadline of June 30, 2018, to remove or mitigate all older versions of TLS and all versions of SSL. They currently allow higher security settings of TLS 1.1 and TLS 1.2, with heavy emphasis on updating to TLS 1.2.
New systems have been required for some time to use the updated versions, but older and existing systems were granted an extension, which expires on June 30. This is the deadline that is looming for many organizations. The requirements also include internal communication between two servers, not only external communication directly to clients.
(Excerpt) Read more at concertocloud.com ...
It looks like it is time for me to do a new install on my Linux PC. I've not been able to do updates on the installed package for a while, so I guess it is time
The methods used for financial transaction on the web evidently are not that secure any more. New exploits have made updates in the Transport Level components of secured log-in's.
If anyone reading this has a simple explanation of the issue please explain it.
Old bugs taken out. New bugs put in..........................
Bet the new security measures have already been hacked.
I suspect that is true.
Just stop accepting Credit Cards, why would anyone pay a banker a fee just to get paid in the first place??
Credit Card theft and Identity theft are the same as pregnancy and AIDS, Abstinence works EVERY TIME it is tried.
The real reason?
The Treasury Department needs better security.........................in tracking your purchases.....................
yeah, i’m gonna fire my wireshark right up and analyze raw packets ... not a helpful article at all ... here’s an easier way:
In Internet Explorer, goto “Internet Options” => Advanced Settings => “Security” and disable all security protocols except TLS 1.2, and then see which https sites break (including your own if you have one) ...
I do not run Windows.
I do have Wireshark on my computer.
Well, that is exactly what I was expecting. Very likely the “real” reason for it.
But I don’t have a business that is related in any form to the internet.
This only affects me as far as personal security matters on the web.
I receive no funds via credit cards.
This is more than just for financial transactions. It does affect being tracked on the web.
There are plenty of enterprise devices that had 56 bit encryption built into the system. For some of these (e.g. certain older SANs) you either have to use an old browser, or wheel a crash cart and plug directly into the serial port. Major pain.
“I do not run Windows.”
same thing can be done with firefox, but more complicated for average computer user to make the settings changes ...
“Just stop accepting Credit Cards, why would anyone pay a banker a fee just to get paid in the first place?? “
Firefox can run in Windows but Windows cannot run in firefox
We’ve spent a huge amount of time at the company I work for remediating TLS.
Thank you. I think there is legal liability for companies that do business on the web concerning this. That is probably why it is happening.
I have no ideal how risky for an individual it is. This deadline date was know long ago. So it is not driven by recent threats.
My solution may be a clean install of a new Linux distribution. One that is out of the box very secure.
I hate backingup for the clean install, but my current distribution has ceased to be something that can be updated.
I can make the settings changes in Firefox. The sites that have notified me of this assume my version is dated. It is not that old. But I think it has to do with TLS in the install. I’ve never used SSL with it, only TLS.
hee hee hee
It takes an hour to build the box. A bit longer than that to do the initial load of updates, then do the restore overnight whilst I sleep. Next morning, I have a box ready to go. (minus some support programs that I discover I'm missing as time goes by and I re-add them.
Someday, I'm actually going to be smart and keep an accurate list of the other packages I install over time. Never have been able to really manage that because I'm lazy.
BTW, using backintime makes it really easy to make a backup for offsite storage. I hook up the external drive for offsite backup, umount /backup, then mount the drive to /backup. Since I run a full backup every night, the next morning I'll umount /backup, mount the original /backup device, and I'm ready to go.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.