TLS 1.0 Is Going Away – How Does That Impact JavaScript Browser-Based Encryption?

15 Feb
2016

In the early days of the Internet, before e-commerce was a major force, the simple browsers made use of an equally simple security protocol called Transport Layer Security (TLS version 1.0) based on the Secure Socket Layer (SSL) protocol. TLS 1.0 was intentionally modified to make it easy for multiple brands of browsers to work with web sites, which ultimately weakened the security. Now with hacking of financial and commerce webs sites at an all time high, TLS 1.0 is deemed a vulnerable protocol. The PCI Council has told payment card handlers to stop using this outdated version to stay within PCI compliance.

 As organizations make the transition away from supporting TLS 1.0 connections from older browsers to their website, it has become clear that good security practices are outpacing the state of the devices that our clients are using to connect to e-commerce sites. Even though the PCI Council recently decided to push out the date for the TLS 1.0 sunset by 2 years to June 31, 2018, it’s not too early to start planning for the change. How does the move impact the status of using JavaScript browser-based encryption? What is the correct balance between security and usability? What strategy should you use to disable TLS 1.0?

Global Security Coordination Necessary

As you can imagine, the payment card industry wants to maintain the highest level of security and thus is pushing for disabling TLS 1.0 and moving to TLS 1.1 or 2. For the Merchant, that means a customer using an outdated browser with TLS 1.0 soon won’t be able to connect to a secure web site. The good news is that at this time most modern browsers either don’t support SSL or have SSL support disabled by default. Between the end client choosing the browser and the regulators choosing security protocols, most of this battle is out of the tokenization providers’ hands, although we do have a voice into the matter through the PCI Council. What we are seeing at that level is a negotiation between retailers, web browser companies, and regulators. At the end of the day, we are at the mercy of the end client. My analogy is that a rising tide lifts all boats. As an industry we must all keep the security tide rising and eventually we will force the end clients’ browser to be upgraded.

PCI Compliance and Security Not Optional

 At TokenEx, we have two guiding principles in this matter. First, we must stay in compliance with PCI, so we will disable old protocols as necessary. Second, security is essential so we will negotiate protocols at the most secure level and not allow a downgrade in protocol. For TokenEx, this is manageable because the majority of our transactions are server to server, so we don’t have the browser-compatibility challenges.

How Does the TLS Change Impact Javascript Browser-Based Encryption for Tokenization?

As for Javascript browser-based encryption, TokenEx leverages RSA encryption, which is at the heart of both SSL and TLS. The vulnerabilities with SSL and TLS protocols, however is not with the underlying encryption but rather with the protocol itself. RSA has proven to be a verifiably strong encryption algorithm since the 1970s. RSA strength is really defined by its key length. TokenEx can easily increase the length of the key without any impacts to our clients’ operations. Furthermore, the encryption algorithm is not at the mercy of the browser chosen by the end user. Therefore, we don’t have the same challenges to deal with as we do with the SSL and TLS layer security.

Disabling TLS 1.0

Finally, as for disabling of TLS 1.0, we will coordinate a similar strategy as when we previously completed the SSL transition. From our server side, we can determine who is using an outdated protocol, since many of our transactions are server to server, those are typically negligible if non-existent. For clients using our Hosted Payment Page tokenization technology we will coordinate the transition to TLS 2 and provide statistics on the number of clients connecting with outdated browsers. Fortunately, we believe that there are not too many people using old browsers to transact their financial business, so the impact should be minimal.

TokenEx is the industry leading cloud tokenization data security platform for organizations who want to reduce risk and compliance. Follow us on Twitter and LinkedIn.

Dr. Jerald Dawkins is the CTO and Co-Founder of TokenEx and has extensive experience with secure coding and data security. Jerry is the author of multiple publications and presents at national and international conferences. He also holds the following certifications: CISSP, NSA IAM, and CNS 4011-4015. Jerry received his B.A. in Computer Science from Fort Lewis College in Durango, CO and his M.S. and Ph.D. Degrees in Computer Science from the University of Tulsa in Tulsa, OK.

 

Read this article for more on the TokenEx Browser-based Encryption solution. Click to edit your new post…