Understanding online systems security – the technology and latest security updates
The security industry is well known for using fantastic acronyms that make people sound clever. I will briefly explain some that are related to online systems security and also advise you on which of these technologies you should be using, as well as the latest updates and how they could impact your business.
Let’s start with HTTP
HTTP is the protocol over which data is sent between your browser and the website that you are connected to (Picture it as a bidirectional tunnel ).
Most people are familiar with a “secure website” and checking to see if there is a lock icon in the various browsers. See examples below:
When that tunnel is a SSL/TLS connection, then we are using HTTPS. It means all communications between your browser and the website are encrypted. SSL/TSL secures the tunnel.
SSL/TLS can be used to secure application-specific protocols other than HTTP, such as FTP, SMTP, NNTP and XMPP.
TLS is the replacement for SSL v3.0 and has version 1.0, 1.1, and 1.2 available.
Recommended TLS upgrade
The security of information is incredibly important, and there are various Industry security standards that businesses have to adhere to, one of them being The Payment Card Industry Data Security Standard (PCI DSS).
In the new release of PCI 3.1, the PCI Council deemed that SSL and early TLS (1.0) will no longer protect cardholder data and so it can’t be used as a security control after June 30, 2016. This affects all merchants and service providers processing or transmitting credit card data, as well as businesses that use PCI standards as a guideline for their internal security standards.
(Read more: PCI 3.1: Stop Using SSL and Outdated TLS Immediately)
What is the impact of the TLS upgrade?
For businesses, system updates are required to use the latest versions of TLS. The knock on impact to the public is …
- Websites: Businesses that have upgraded their website security to adhere to the new standard (https using TLS 1.1 and above) may find that people will no longer be able to view their website. This is because older browser versions don’t support TLS 1.1 & above.It will look like their website is down.
- Emails: Email images hosted on a HTTPS site that adhere to this standard will not display for people using older browser versions. They may not be able to click through to website links from the emails. It will look like the emails are broken.
Businesses will therefore have to advise their customers/users/public who have older browsers and systems that they need to upgrade.
And information on how to enable TLS 1.1 & 1.2 & disable SSL and TLS 1.0:
Email Marketing industry:
Click tracking information will not be gathered and images will not display in emails being sent out (although if the email is properly designed, the fall back will still be an acceptable user experience).
See which browsers are not compatible with TLS 1.1 or higher: TLS 1.0 Encryption Permanently Disabled on Mar 31, 2016
How do we resolve this?
The PCI SSC has realized that this is an issue and is therefore extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).
Read more: Date Change for Migrating from SSL and Early TLS
This will give businesses and their users more time to update their browsers and/or computer security systems.