What are SSL & TLS?
Most people assume when they go to their bank’s website and enter banking information, their information is secure while it’s being transmitted to and from the bank. Two main protocols are used to secure much of the information transmitted on the Internet, such as banking information. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) are both encryption protocols that encrypt data in transit to help provide privacy and ensure data integrity. When a protocol like HTTP is used in conjunction with SSL or TLS, an “S” is added to the end of HTTP and it becomes HTTPS. HTTPS is the first part of the URL when accessing a secure web page, indicating that an SSL or TLS certificate is in use. Although SSL and TLS are used interchangeably, SSL 3.0 is now outdated and more vulnerable to attacks such as the “Padding Oracle on Downgraded Legacy Encryption” or POODLE.
Why is Security Important?
Recent attacks on large corporations have highlighted the need for increased security of data in transit. Although attacks like Heartbleed were more severe, a POODLE attack on SSL 3.0 can obtain one byte of an encrypted message with an average of 256 SSL 3.0 requests. With enough SSL requests, an attacker can decrypt larger messages.
What Can Companies & Consumers Do for Protection?
Companies should ensure that they have upgraded their security certificates for all of their web pages where information is entered or transmitted to use TLS certificates. Also, consider disabling SSL on the client and server side to prevent SSL attacks. However, it is important to use caution since many customers may still have servers that are not compatible with TLS.
Consumers can ensure they transmit sensitive data on websites where there is an HTTPS in the URL. Additionally, consumers should click the lock next to the website URL that they are visiting and note the encryption level and type of the certificate, then confirm that the website is using TLS certificates as opposed to SSL certificates.
Staying in front of hackers and preventing all Internet-based attacks is a daunting task for anyone. It is important to stay up to date on vulnerabilities such as those with SSL, and continue to be vigilant by implementing additional security measures, patching systems for known security vulnerabilities, and using the latest and greatest encryption methods and protocols.
Rob started with Linford & Co., LLP in 2011 and leads the HITRUST practice as well as performs SOC examinations and HIPAA assessments. He has spoken at Data Center World on compliance-related topics and has completed over 200 SOC examinations. He started his career as an IT auditor in 2003 with PwC in the Systems and Process Assurance group, and has worked in a variety of industries in internal audit as well as for the City and County of Denver.