• Subscribe   
  • Subscribe   

Understanding online systems security – the technology and latest security updates

Feature Image LM

The security industry is well known for using fantastic acronyms that make people sound clever. I will briefly explain some that are related to online systems security and also advise you on which of these technologies you should be using, as well as the latest updates and how they could impact your business.

Let’s start with HTTP

HTTP is the protocol over which data is sent between your browser and the website that you are connected to (Picture it as a bidirectional tunnel ).

Most people are familiar with a “secure website” and checking to see if there is a lock icon in the various browsers. See examples below:

TLS

When that tunnel is a SSL/TLS connection, then we are using HTTPS. It means all communications between your browser and the website are encrypted. SSL/TSL secures the tunnel.

HTTP Vs HTTPS

SSL/TLS can be used to secure application-specific protocols other than HTTP, such as FTP, SMTP, NNTP and XMPP.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.(Read more: Transport Layer Security on Wikipedia)

TLS is the replacement for SSL v3.0 and has version 1.0, 1.1, and 1.2 available.

Recommended TLS upgrade

The security of information is incredibly important, and there are various Industry security standards that businesses have to adhere to, one of them being The Payment Card Industry Data Security Standard (PCI DSS).

In the new release of PCI 3.1, the PCI Council deemed that SSL and early TLS (1.0) will no longer protect cardholder data and so it can’t be used as a security control after June 30, 2016. This affects all merchants and service providers processing or transmitting credit card data, as well as businesses that use PCI standards as a guideline for their internal security standards.

(Read more: PCI 3.1: Stop Using SSL and Outdated TLS Immediately)

What is the impact of the TLS upgrade?

For businesses, system updates are required to use the latest versions of TLS. The knock on impact to the public is …

  • Websites: Businesses that have upgraded their website security to adhere to the new standard (https using TLS 1.1 and above) may find that people will no longer be able to view their website. This is because older browser versions don’t support TLS 1.1 & above.It will look like their website is down.
Page can't be displayed
  • Emails: Email images hosted on a HTTPS site that adhere to this standard will not display for people using older browser versions. They may not be able to click through to website links from the emails. It will look like the emails are broken.

Businesses will therefore have to advise their customers/users/public who have older browsers and systems that they need to upgrade.

Here are some sites that show how to test your browser:

And information on how to enable TLS 1.1 & 1.2 & disable SSL and TLS 1.0:

Email Marketing industry:

Click tracking information will not be gathered and images will not display in emails being sent out (although if the email is properly designed, the fall back will still be an acceptable user experience).

See which browsers are not compatible with TLS 1.1 or higher: TLS 1.0 Encryption Permanently Disabled on Mar 31, 2016

How do we resolve this?

The PCI SSC has realized that this is an issue and is therefore extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

Read more: Date Change for Migrating from SSL and Early TLS

This will give businesses and their users more time to update their browsers and/or computer security systems.

Linda Misauer

Linda Misauer

Vice President, Global Solutions at Striata, a Doxim company.

Linda Misauer is the Head of Global Solutions at Striata and is responsible for technical Research and Development, Operations and Project Management for global initiatives.

Linda previously led the Product Management of the Striata Application Platform before moving across to Striata North America as Chief Technical Officer (CTO). As Product Manager, her responsibilities included internal project management of the product development team, market research & product feature design, as well as the product lifecycle management and quality control. As CTO, Linda was responsible for all technical operations for North, Central and South America, including the Project Management, Support, Production and Data Engineering.

Linda has over 10 years of experience in the IT industry, ranging from video streaming solutions and website application development to electronic billing and messaging. Prior to joining Striata in 2002, Linda held the positions of Chief Information Officer at AfriCam, and was IT project manager at Dimension Data.

Linda studied at the University of Natal – Pietermaritzburg and holds a degree in BSc, Majoring in Computer Science and Economics. Linda also has a Diploma in Project Management.

Read more of Linda’s blog posts here or connect with her on the following social channels: