<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">
Defrag This

| Read. Reflect. Reboot.

SSL vs. TLS: Why Make the Transition?

Rick Robinson| March 22 2016

| security

If you want your meetings to put everyone outside support to sleep, schedule a presentation on SSL vs. TLS. Or you can spell it out, Secure Socket Layer versus Transport Layer Security; or simply RTSNOWU, Really Technical Stuff No One Will Understand.

But someone has to understand it, and make decisions about it, because making the transition from SSL to TLS is a really big deal when determining the security of the data that passes through the machines on your network. Every email and Web document can be compromised by a security lapse at this point. And upgrading isn't a simple, free plug-and-play. Crap.

'Endpoint Security' Gets Basic

First, a quick SSL vs. TLS primer. These aren't quite two alternative technologies, but rather successive stages of one technology. The name was changed from SSL 3.1 to TLS 1.0 because of trademark issues with the old Netscape browser, for which SSL was originally developed.

By either name, though, this is all about endpoint security at the most fundamental level, where data gets into or out of a computer via any active network connection. The "layer" in both names is the external connection, and the goal is to ensure that this connection is encrypted and therefore secure.

In the older SSL version of the technology, the connection is made explicitly via a secure port. TLS is less rigid, allowing the system to request a secure connection. The two parties (usually client and server) either agree upon this delivery or break connection if it isn't secure.

Once a connection was established in previous-gen SSL, both protocols were equally secure. But since late 2014, as the PCI security standards organization reports, a vulnerability called POODLE (Padding Oracle On Downgraded Legacy Encryption) has popped up rendering SSL (and even first-generation TLS) potentially ineffective at protecting your users' data.

Which means it's time for SSL to go.

Decisions, Decisions

In a perfect world sysadmins follow every best practice to the letter. And don't you already? In the long run, following best practices does make everything go so much easier. In the messy real world of your workplace, however, you're usually running late and over budget. The things you should do need to be prioritized under the more urgent issues facing ops to prevent you from going on the ropes. So what priority should the transition from SSL to TLS have?

If your IT shop is involved in e-commerce, or deals with credit and debit cards in any way, the decision has already been made for you. The PCI DSS will be done with SSL after June 30, 2016. Be there with TLS or be square.

Other organizations may have some latitude, and the PCI document cited offers risk mitigation procedures to minimize (but not eliminate) the vulnerabilities associated with continued use of SSL. To take a simple example, deleting any Web browsers on a given machine will reduce the risk of that machine going online insecurely.

But for most organizations it's getting time to suck gut, draw up a (temporary) risk mitigation plan and migration plan — also outlined by the PCI — and schedule a time frame to make it happen. If you aren't involved with payment cards you don't need to worry about the June 30 deadline, but putting it off won't make it easier.

It may put users to sleep at a meeting, but making the transition from SSL to TLS will let you sleep a lot better, knowing your data is reliably encrypted in motion.

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *

THIS POST WAS WRITTEN BY Rick Robinson

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.