Will The Council Kill Off TLS?

On February 6, 2019, a technical paper was published regarding a new attack on TLS 1.2 and 1.3 had been identified.  Of course, the first thing that a lot of us wondered was, “Will the PCI SSC now kill off TLS 1.2 and 1.3?”

Before panic sets in, I am guessing that TLS 1.2/1.3 will not go away like SSL v3 and TLS 1.0/1.1 did before.  The reason is that this is just another variation of the Bleichenbacher attacks that seem to crop up every so often regarding SSL and TLS.  What is different about this attack is the new side-channel leak approach that was used.

The risk in this attack is best described from the researchers’ technical paper.

 “… even though  the  use  of  RSA  in  secure  connections  is  diminishing (only ≈6% of TLS connections  currently  use  RSA  [1,  51]), this  fraction  is  still  too  high  to  allow  vendors  to  drop  this mode.  Yet,  as  we  show  in  Section  VI,  supporting  this  small fraction of users puts everyone at risk, as it allows the attacker to perform a downgrade attack by specifying RSA as the only public key algorithm supported by the server.”

The problem is all related to the use of RSA PKCS#1 v1.5 in TLS.  The rest of protocol is just fine.  So, at worst case I could see the Council recommending that RSA PKCS#1 v1.5 not be allowed to be used.

Which reminds me of years ago when the US banking regulators came out and stated that by a certain date, Internet Explorer 6 would no longer be allowed to be used for internet banking.  According to the banks at the time, such a move by the regulators would create a support nightmare or, even worse, kill off internet banking.  However, the date came, the banks turned off IE6 and little happened.  Yes, there were a few days of higher than normal support calls about customers not being able to get into their accounts, but those quickly died off.

The issue with RSA PKCS#1 v1.5 is similar to the banking story.  At what point do we draw the line on these sorts problems?  10% of users?  2% of users?  1% of users?  In this case, 6% of the internet users are putting the remaining 94% at risk.  Is it worth it?  Each organization will have to determine if that risk is acceptable and justify why.


6 Responses to “Will The Council Kill Off TLS?”

  1. 1 Mike
    July 2, 2020 at 1:09 PM

    As March of 2020, several web browsers won’t havs TLS 1.1 enabled, like I.E, Chrome, firefox, etc. I haven’t found any recent document from PCI regarding not using TLS 1.1, the last version PCI 3.2.1 still allow 1.1 or above. is it still ok to have TLS 1.1 in certain systems?. Ideally one will use TLS 1.2 or above.. but technically, is 1.1 ok for PCI compliance?.

    • July 2, 2020 at 1:14 PM

      TLS v1.1 was a “special” situation if you read the NIST document SP800-52 rev 1. There are configurations of TLS v1.1 that were deemed insecure and others that were secure. So the recommendation was to only use TLS v1.2 or greater to be truly safe. But if you were using TLS v1.1 for whatever reason, to only use the secure configurations.

      • 3 Mike
        July 2, 2020 at 3:22 PM

        Thanks. Totally understand, you are correct, only secure configurations for TLS 1.1 where TLS 1.2 was not possible or you could not disabled TLS 1.1 to leave only 1.2.

        If the scan detects a insecure cipher or configuration it need to be adjusted to be secure. but the fact of having TLS 1.1 showing on the scan , without being insecure(detecting a insecure 1.1 configuration), shouldn’t present a compliance problem still, isn’t it?.

      • July 3, 2020 at 3:46 PM

        That seems to depend on the vulnerability scanner and what it does beyond just detecting TLS v1.1. Some only go after the insecure configurations, others generate a message that TLS v1.1 was found, and others just flag TLS v1.1 as “bad”.

        For the last two situations, I use Qualys’s SSL Test (https://www.ssllabs.com/ssltest/) to confirm or deny that what was found is actually “bad” so that you can get the ASV to remove it if it is not “bad”.

  2. 5 JJ
    March 1, 2019 at 8:27 AM

    It’s irrelevant what percentage of Internet users use outdated . What’s relevant is how many of your customers use it. If I were to propose “flipping the switch” and blocking 6% of our online banking customers I’d be shot. And I should be. Why? Because Vulnerability != Risk. There is precisely zero chance that all 6% of those customers will actually have their connections to us intercepted and we could not afford to lose 6% of our customers. Life is all about balances.

    • March 1, 2019 at 8:37 AM

      The paper on the flaw is explaining the server side problem for an attacker that goes after your site. The fact that you support the RSA protocol puts the server at risk of leaking information. You need to remember that not everyone that connects to your site is your “customer”.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Welcome to the PCI Guru blog. The PCI Guru reserves the right to censor comments as they see fit. Sales people beware! This is not a place to push your goods and services.

March 2019

%d bloggers like this: