On February 6, 2019, a technical paper was published regarding a new attack on TLS 1.2 and 1.3 had been identified. Of course, the first thing that a lot of us wondered was, “Will the PCI SSC now kill off TLS 1.2 and 1.3?”
Before panic sets in, I am guessing that TLS 1.2/1.3 will not go away like SSL v3 and TLS 1.0/1.1 did before. The reason is that this is just another variation of the Bleichenbacher attacks that seem to crop up every so often regarding SSL and TLS. What is different about this attack is the new side-channel leak approach that was used.
The risk in this attack is best described from the researchers’ technical paper.
“… even though the use of RSA in secure connections is diminishing (only ≈6% of TLS connections currently use RSA [1, 51]), this fraction is still too high to allow vendors to drop this mode. Yet, as we show in Section VI, supporting this small fraction of users puts everyone at risk, as it allows the attacker to perform a downgrade attack by specifying RSA as the only public key algorithm supported by the server.”
The problem is all related to the use of RSA PKCS#1 v1.5 in TLS. The rest of protocol is just fine. So, at worst case I could see the Council recommending that RSA PKCS#1 v1.5 not be allowed to be used.
Which reminds me of years ago when the US banking regulators came out and stated that by a certain date, Internet Explorer 6 would no longer be allowed to be used for internet banking. According to the banks at the time, such a move by the regulators would create a support nightmare or, even worse, kill off internet banking. However, the date came, the banks turned off IE6 and little happened. Yes, there were a few days of higher than normal support calls about customers not being able to get into their accounts, but those quickly died off.
The issue with RSA PKCS#1 v1.5 is similar to the banking story. At what point do we draw the line on these sorts problems? 10% of users? 2% of users? 1% of users? In this case, 6% of the internet users are putting the remaining 94% at risk. Is it worth it? Each organization will have to determine if that risk is acceptable and justify why.
As March of 2020, several web browsers won’t havs TLS 1.1 enabled, like I.E, Chrome, firefox, etc. I haven’t found any recent document from PCI regarding not using TLS 1.1, the last version PCI 3.2.1 still allow 1.1 or above. is it still ok to have TLS 1.1 in certain systems?. Ideally one will use TLS 1.2 or above.. but technically, is 1.1 ok for PCI compliance?.
TLS v1.1 was a “special” situation if you read the NIST document SP800-52 rev 1. There are configurations of TLS v1.1 that were deemed insecure and others that were secure. So the recommendation was to only use TLS v1.2 or greater to be truly safe. But if you were using TLS v1.1 for whatever reason, to only use the secure configurations.
Thanks. Totally understand, you are correct, only secure configurations for TLS 1.1 where TLS 1.2 was not possible or you could not disabled TLS 1.1 to leave only 1.2.
If the scan detects a insecure cipher or configuration it need to be adjusted to be secure. but the fact of having TLS 1.1 showing on the scan , without being insecure(detecting a insecure 1.1 configuration), shouldn’t present a compliance problem still, isn’t it?.
That seems to depend on the vulnerability scanner and what it does beyond just detecting TLS v1.1. Some only go after the insecure configurations, others generate a message that TLS v1.1 was found, and others just flag TLS v1.1 as “bad”.
For the last two situations, I use Qualys’s SSL Test (https://www.ssllabs.com/ssltest/) to confirm or deny that what was found is actually “bad” so that you can get the ASV to remove it if it is not “bad”.
It’s irrelevant what percentage of Internet users use outdated . What’s relevant is how many of your customers use it. If I were to propose “flipping the switch” and blocking 6% of our online banking customers I’d be shot. And I should be. Why? Because Vulnerability != Risk. There is precisely zero chance that all 6% of those customers will actually have their connections to us intercepted and we could not afford to lose 6% of our customers. Life is all about balances.
The paper on the flaw is explaining the server side problem for an attacker that goes after your site. The fact that you support the RSA protocol puts the server at risk of leaking information. You need to remember that not everyone that connects to your site is your “customer”.