Why It's Time to Disable All Versions of SSL | JSCAPE

Earlier this month, the PCI SSC (Payment Card Industry Security Standards Council) published a bulletin on impending revisions to PCI DSS (Payment Card Industry Data Security Standard) and PA DSS (Payment Application Data Security Standard). The bulletin focused on SSL's failure to meet PCI SSC's definition of "strong cryptography" and the move to revise the two standards in light of this development.

SSL (Secure Sockets Layer) is a cryptographic protocol for securing data-in-motion. Like SSH and other cryptographic protocols, it is employed by businesses in achieving PCI DSS compliant file transfers. Of all these protocols, SSL is arguably the most widely used. It wouldn't be surprising if practically the entire banking/finance industry is dependent on it. Unfortunately, recent findings have shown that all versions of SSL possess inherent weaknesses that make it unsuitable for securing high value information such as credit card data.

While there have been previous attacks on SSL, the POODLE (Padding Oracle On Downgraded Legacy Encryption) vulnerability, which was discovered last October (2014), was probably the last nail in the coffin. When PCI DSS v3.1 and PA DSS v3.1 will be released, they will already reflect changes addressing SSL-related issues.

Obviously, the vulnerabilities found in SSL will not only affect organisations transmitting payment card data. If you regularly transmit any kind of sensitive information, then you should stop using SSL.

If it's any consolation, most people use "SSL" as an all-embracing term, often calling TLS - actually an improved version of the protocol - SSL. Hence, it's possible that you're already using TLS to transmit your data. In addition, all major browsers (Chrome, Firefox, and Internet Explorer) have already disabled SSL 3. Of course, there are several legacy applications out there, so I suggest you make it a point to disable SSL.

For users of JSCAPE MFT Server, the ability to disable SSL v3 (the version affected by the POODLE vulnerability) was introduced in version 9.0.7.126. You will also have that ability (as well as the ability to disable other versions of TLS if you want) when you download the latest version of JSCAPE MFT Server.