In an effort to support older customers and partners, end users, or developers, many businesses support technologies that have become obsolete. Web visitors connecting to a site with obsolete protocols like SSL 3.0 or TLS 1.0 put their security at stake. Fortunately, the tides are changing and this practice of supporting outdated protocols is ceasing.

The way forward for security-conscious businesses is to embrace standardized best practices and to stop support for individual obsolete protocols.

Vulnerabilities So Big They Are Branded

Usage of encryption in transit is the de facto standard for assuring confidentiality and integrity of information when it’s transmitted over the internet.

Over time, encryption protocols and technologies tend to become less secure due to exploits discovered during the implementation or use of various code libraries. The following are examples of exploits discovered in recent years which have become so big they are branded.

  • POODLE is a man-in-the-middle attack that downgrades the connection to an encryption protocol which was vulnerable to the attack. Poodle was mainly intended to address SSL 3.0, but TLS 1.0, and 1.1 are also vulnerable.
  • BEAST is a man-in-the-middle attack that exploits a vulnerability in the Cipher Block Chaining mode in TLS 1.0 and then uses that vulnerability to decrypt data exchanged between two parties. In other words, it undermines the very purpose of encryption in transit.
  • HEARTBLEED is a flaw in OpenSSL, a critical cryptographic software library used in major operating systems around the world. It allows attackers to potentially expose secret keys used to encrypt content as well as the content itself. As a result, it undermines the very purpose of encryption in transit.

Compliance and Operations

These exploits pose issues for the smooth operation of an internet service and can be used to expose customer information. Relying on outdated encryption protocols poses regulatory issues as well.

When it comes to personal data, GDPR requires adequate technical safeguards for the processing of such data. Since attacks against outdated protocols undermine the purpose of encryption, it is compulsory to continuously update so that adequate security is in place.

When it comes to payment card data, PCI DSS requires payment card processors to use TLS 1.2 or above as of the June 2018 deadline set by the PCI Security Council.

A comparable organizational example of compliance is when your business requires internal updates to employee computers, operating systems, and software. The purpose is to ensure the proper handling of confidential information as well as smooth workflows.

Siteimprove Stops Support

Outdated technology continues to be used across many digital platforms. However, support for obsolete technology significantly opens the potential for security attacks. It’s a delicate balance to maintain a harmonious online ecosystem with all partners and customers. However, Siteimprove has taken the decision to stop support for older encryption protocols, namely TLS 1.0, 1.1, and will only provide support for TLS 1.2 and 1.3.

The need to support legacy integrations as well as customers running legacy systems has pushed companies to keep using TLS 1.0 and 1.1 for certain areas of their service. However, it’s more vital to deliver a reliable and secure experience and yet keep pace with known technological advances and state-of-the-art web services.

Siteimprove encourages all partners to hop on board and do the same, as ultimately, the service to customers must ensure a smooth and secure experience.

How will these changes impact Siteimprove’s customers? Read more in the Siteimprove Help Center.