Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the login-customizer domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home1/natiopq9/public_html/wp-includes/functions.php on line 6131

Warning: Cannot modify header information - headers already sent by (output started at /home1/natiopq9/public_html/wp-includes/functions.php:6131) in /home1/natiopq9/public_html/wp-includes/feed-rss2.php on line 8
Secure Socket Layers Archives - The National Law Forum https://nationallawforum.com/tag/secure-socket-layers/ Legal Updates. Legislative Analysis. Litigation News. Wed, 19 May 2021 17:32:44 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.4 https://i0.wp.com/nationallawforum.com/wp-content/uploads/2017/11/cropped-grey-temple-Converted.jpg?fit=32%2C32&ssl=1 Secure Socket Layers Archives - The National Law Forum https://nationallawforum.com/tag/secure-socket-layers/ 32 32 111745018 Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data https://nationallawforum.com/2015/02/19/secure-sockets-layer-ssl-3-0-encryption-declared-no-longer-acceptable-to-protect-data/ https://nationallawforum.com/2015/02/19/secure-sockets-layer-ssl-3-0-encryption-declared-no-longer-acceptable-to-protect-data/#comments Thu, 19 Feb 2015 15:41:00 +0000 http://nationallawforum.com/?p=8833 On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherent weaknesses within the protocol” … Continue reading Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data

The post Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data appeared first on The National Law Forum.

]]> McDermott Will & Emery

On Friday, February 13, 2015, the Payment Cards Industry (PCI) Security Standards Council (Council) posted a bulletin to its website, becoming the first regulatory body to publicly pronounce that Secure Socket Layers (SSL) version 3.0 (and by inference, any earlier version) is “no longer… acceptable for protection of data due to inherent weaknesses within the protocol” and, because of the weaknesses, “no version of SSL meets PCI SSC’s definition of ‘strong cryptography.’” The bulletin does not offer an alternative means that would be acceptable, but rather “urges organizations to work with [their] IT departments and/or partners to understand if [they] are using SSL and determine available options for upgrading to a strong cryptographic protocol as soon as possible.” The Council reports that it intends to publish soon an updated version of PCI-DSS and the related PA-DSS that will address this issue. These developments follow news of the Heartbleed and POODLE attacks from 2014 that exposed SSL vulnerabilities.

Although the PCI standards only apply to merchants and other companies involved in the payment processing ecosystem, the Council’s public pronouncement that SSL is vulnerable and weak is a wakeup call to any organization that still uses an older version of SSL to encrypt its data, regardless of whether these standards apply.

As a result, every company should consider taking the following immediate action:

  1. Work with your IT stakeholders and those responsible for website operation to determine if your organization or a vendor for your organization uses SSL v. 3.0 (or any earlier version);

  2. If it does, evaluate with those stakeholders how to best disable these older versions, while immediately upgrading to an acceptable strong cryptographic protocol as needed;

  3. Review vendor obligations to ensure compliance with a stronger encryption protocol is mandated and audit vendors to ensure the vendor is implementing greater protection;

  4. If needed, consider retaining a reputable security firm to audit or evaluate your and your vendors’ encryption protocols and ensure vulnerabilities are properly remediated; and

  5.  Ensure proper testing prior to rollout of any new protocol.

ARTICLE BY

Heather Egan Sussman
Sarah T. Hogan
OF
McDermott Will & Emery

The post Secure Sockets Layer (SSL) 3.0 Encryption Declared “No Longer Acceptable” to Protect Data appeared first on The National Law Forum.

]]> https://nationallawforum.com/2015/02/19/secure-sockets-layer-ssl-3-0-encryption-declared-no-longer-acceptable-to-protect-data/feed/ 1 8833