SSL, TLS and Alarmism.
Updated: Aug 12, 2019
Excerpt from an email I received this morning from Harbortouch, entitled “POS Systems Are Now Useless”:
“Considerable changes are being made to PCI requirements in order to address a vulnerability with SSL encryption called POODLE. In short, SSL encryption, which has been the standard encryption method for decades, is no longer PCI compliant due to vulnerabilities in this protocol.”
Ugh. The one thing more damaging to security than a breach is the perception of a breach. Now while that might seem a naive way of thinking about it, I’ll make arguments to my dying day that it is, nonetheless, accurate. Fear-mongering in IT (where the stakes are often high) is a fast way to make a buck out of folks who are bent on staving off incursions. It’s akin to yelling “Fire” in a crowded movie house and then trying to sell people buckets of water on their way out to the lobby. Yes, breaches happen from time to time and nobody is downplaying that or saying that they’re a good thing, but nothing good ever comes of spamming out something designed to deliberately misinform and panic both vendors and end users.
Here’s the real scoop. SSLv.2 & 3 and early versions of TLS (SSL’s successor) are vulnerable to POODLE. This issue was discovered in 2015 and most reputable POS vendors looked at it, upgraded to TLS 1.2, and never looked back. End of story. But wait; there’s more:
“SSL has been the standard encryption protocol for decades, so virtually every POS system older than a few months will likely require a costly security upgrade no later than June 2018 (with some deadlines as soon as this summer) or face a complete shutdown of credit card processing capabilities.”
Yes, SSL has been the standard protocol since the mid-nineties, but the versions that are vulnerable to POODLE have been largely deprecated. They were outdated in 2015, and even further back responsible folks in the IT field were moving away from SSL and toward TLS 1.2. None of this is in anyway new news. The PCI bit is true as far as it goes; a few years ago PCI 3.1 was subsetted, with PCI 3.2 rolling up in June of 2018, but there’s no “costly upgrade” involved at all; your POS vendor will simply implement TLS 1.2, which is functionally interchangeable with the older SSL technology. They both use certificates, and you don’t need new or special certificates to use TLS.
Here’s the most telling bit: “That means that this is the time for you to go on the offensive and capture more business!”
Pft. And there we have it, ladies and gentlemen. It never hurts to stay up-to-date with your PCI/security obligations, but it never hurts to take this kind of thing with an ounce of investigation and a liberal pinch of salt…