1

When browsing the internet about TLS and SSL I found that on 30th June 2018, IETF are prohibiting SSL and TLS 1.0 because of exploits such as POODLE (Found it on this website: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls). IsIETF or another organisation/company making an alternative to SSL so all protocols that use it (not just HTTPS) will still work?

ComputingGuest
  • 83
  • 8

1 Answers1

1

When browsing the internet about TLS and SSL I found that on 30th June 2018, IETF are prohibiting SSL and TLS 1.0 ....

While you don't provide a source for this claim ("browsing the internet" is not a useable source) I think you are confusing several things here:

  • SSL 2.0 is broken for years, SSL 3.0 is considered broken too (POODLE attack), TLS 1.0 has known weaknesses but is not considered critically broken (POODLE does not apply here, except for buggy implementations which did not correctly implement the standard)
  • The IETF is not prohibiting TLS 1.0 on 30th June 2018. Instead this date comes from the PCI security standards councel which is relevant for example for payment providers.

The document Migrating from SSL and Early TLS includes the following statement:

After June 30, 2018, all entities must have stopped use of SSL/early TLS as a security control, and use only secure versions of the protocol (an allowance for certain POS POI terminals is described in the last bullet, below)

Here "early TLS" refers to TLS 1.0 and "SSL" to SSL 3.0 which means that one can still use TLS 1.1 and TLS 1.2 and also the new TLS 1.3 wherever PCI requirements apply. And you can continue to use TLS 1.0 outside these requirements (i.e. for non-payment sites) although use of the well supported and more secure TLS 1.2 (or better) is recommended. Also, all modern OS and browsers have support for TLS 1.2 for years, thus there is no need to worry.

Steffen Ullrich
  • 114,247
  • 10
  • 131
  • 172
  • And there are tens maybe hundreds of Qs across several Stacks on how to update systems and programs to select or enable TLS > 1.0; just search. Even Java 6, which was officially obsoleted in 2013, has been patched for this in the paid-support version. IETF 'prohibited' SSL2 in 2011 (rfc6176) and SSL3 in 2015 (rfc7568) but technically these just removed the backward compatibility option in TLS since SSL was never a standards-track RFC (only historical). And IETF moved first AFAIK to prohibit RC4 in 2015 (rfc7465) for all protocol versions. – dave_thompson_085 Apr 02 '18 at 21:16
  • Sorry I forgot my source. I saw it on this website: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls . I first found there stopping it by looking at TLS on Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security) – ComputingGuest Apr 03 '18 at 15:26