Understanding Online Systems Security – the Technology and Latest Security Updates| By |Linda Misauer

The security industry is well known for using fantastic acronyms that make people sound clever. I will briefly explain some that are related to online systems security and also advise you on which of these technologies you should be using, as well as the latest updates and how they could impact your business.

Let’s start with HTTP

HTTP is the protocol over which data is sent between your browser and the website that you are connected to (Picture it as a bidirectional tunnel ).

Most people are familiar with a “secure website” and checking to see if there is a lock icon in the various browsers. See examples below:

TLS

When that tunnel is a SSL/TLS connection, then we are using HTTPS. It means all communications between your browser and the website are encrypted. SSL/TSL secures the tunnel.

HTTP vs HTTPS

SSL/TLS can be used to secure application-specific protocols other than HTTP, such as FTP, SMTP, NNTP and XMPP.

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both of which are frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.

TLS is the replacement for SSL v3.0 and has version 1.0, 1.1, and 1.2 available.

Recommended TLS upgrade

The security of information is incredibly important, and there are various Industry security standards that businesses have to adhere to, one of them being The Payment Card Industry Data Security Standard (PCI DSS).

In the new release of PCI 3.1, the PCI Council deemed that SSL and early TLS (1.0) will no longer protect cardholder data and so it can’t be used as a security control after June 30, 2016. This affects all merchants and service providers processing or transmitting credit card data, as well as businesses that use PCI standards as a guideline for their internal security standards.

What is the impact of the TLS upgrade?

For businesses, system updates are required to use the latest versions of TLS. The knock on impact to the public is …

  • Websites: Businesses that have upgraded their website security to adhere to the new standard (https using TLS 1.1 and above) may find that people will no longer be able to view their website. This is because older browser versions don’t support TLS 1.1 & above.It will look like their website is down.

Page can

  • Emails: Email images hosted on a HTTPS site that adhere to this standard will not display for people using older browser versions. They may not be able to click through to website links from the emails. It will look like the emails are broken.

Businesses will therefore have to advise their customers/users/public who have older browsers and systems that they need to upgrade.

Here are some sites that show how to test your browser:

And information on how to enable TLS 1.1 & 1.2 & disable SSL and TLS 1.0:

Email Marketing industry:

Click tracking information will not be gathered and images will not display in emails being sent out (although if the email is properly designed, the fall back will still be an acceptable user experience).

How do we resolve this?

The PCI SSC has realized that this is an issue and is therefore extending the migration completion date to 30 June 2018 for transitioning from SSL and TLS 1.0 to a secure version of TLS (currently v1.1 or higher).

This will give businesses and their users more time to update their browsers and/or computer security systems.

via Technology & Innovation Articles on Business 2 Community http://ift.tt/2hvb2LC

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s