PCI Council pushes back TLS 1.0 End of Life Date to June 2018

On December 15th, the PCI Council updated its date for when TLS 1.0 (an older security protocol used on SSL secure web pages) would be considered obsolete and a PCI violation. Originally, they listed June 30, 2016 as the End of Life (EOL) date for TLS 1.0. They have now extended that deadline to June 30, 2018. You can read more details on the PCI Council blog post.

Why should you care?

TLS 1.0 is still in use on the web today. Cloudflare estimated that 22% of all their SSL traffic was still using TLS 1.0 as of February 2015. Browsers such as Internet Explorer versions 10 and older, older Safari browsers, and older Android phones still only support TLS 1.0. They do not support newer protocols. A full list of TLS 1.0 devices may be found on Wikipedia.

It’s likely that a small portion of your customers still rely on TLS 1.0 to be able to view and use secure web pages. Turning this protocol off too soon can cause you to lose sales.

It’s more than just web browsers. Thousands of servers are running operating systems that do not natively support anything higher than TLS 1.0. This means applications that rely on PHP or Perl may not support TLS 1.1 or higher. The removal of TLS 1.0 will greatly impact many websites’ ability to complete transactions.

Are you at risk with TLS 1.0?

In our opinion (and those of many others), having TLS 1.0 enabled on your website is not a risk to you or your customers. The types of theoretical attacks that are aimed at TLS 1.0 require complicated scenarios to be carried out for the conditions to be right for exploitation. Many times the visitor’s computer must already be compromised, which if it was, the attacker would most likely just steal the info using a key-logger or malware on the computer itself.

We have never seen a website that we host become compromised through a weakness in the TLS 1.0 protocol.

We do however see compromises on a frequent basis due to easy to guess passwords, malware on personal computers that steals FTP logins, out-dated WordPress and ecommerce software that gets hacked through known vulnerabilities, etc… These are the likely ways website owners can face security issues.

It’s too bad the PCI council focuses so much energy on theoretical attacks that are very unlikely to occur.

What’s likely to happen?

It will be interesting to see how this date change plays out in the real world. Many payment gateways like Authorize.net and PayPal have already listed June 2016 as the date when they will disable TLS 1.0 support. Shipping APIs such as FedEx and UPS have also listed June 2016 as the deadline.

We’ll have to see if they delay making this change based on the recent PCI update. My guess is they will delay the removal of TLS 1.0.

What can you do for PCI scans?

For now, we recommend if your PCI scanning company flags TLS 1.0 being enabled on your website as a vulnerability, that you submit a mitigation document that explains you are aware of the issue, and have a plan to disable TLS 1.0 by the deadline. If you are a client of ours, we can provide you with a template, or you can use Trustwave’s Risk Plan Template.

TLS 1.0 being extended to 2018 is a good thing. It gives adequate time for preparations to be made, and more time for the internet general public to use more updated devices that do no rely on this older protocol. Hopefully payment gateways and other providers will extend their deadlines as well. We’ll continue to monitor this event and provide updates as we get them.

Looking for a web host that understands ecommerce and business hosting?
Check us out today!

Leave a Reply