SSL Labs Tightens Security: Boosts Penalties for Outdated Payment Protocols
SSL Labs has recently increased penalties for using outdated or insecure protocols in payment transactions. The latest changes aim to push servers towards more secure standards.
The PCI Security Council previously deprecated SSL v3 and TLS 1.0, which are now considered obsolete and insecure. Despite this, some servers still rely on these outdated protocols. In response, SSL Labs has enhanced its grading system to encourage migration to newer, more secure versions.
The latest release, SSL Labs 1.17.10, has increased the penalty for using RC4 with modern protocols (TLS 1.1 and TLS 1.2). This change follows an earlier announcement to penalize RC4 usage, which was implemented on May 20. RC4 is known to be vulnerable to attacks like DROWN.
The grading change also saw a 'mild nudge' towards migrating away from TLS 1.0. This protocol is affected by known attacks like BEAST and Lucky 13, making it insecure. The penalty for servers not supporting TLS 1.2 has been increased from B to C, causing some controversy.
TLS 1.2, supported by about 60% of servers and modern browsers, is more secure and is now the recommended standard. To facilitate the transition, SSL Labs has introduced SSL Labs Notifications, allowing users to receive updates on grading changes with at least one month's notice.
The recent grading changes by SSL Labs aim to improve security in payment transactions. Servers are encouraged to migrate to TLS 1.2, with increased penalties for using outdated or insecure protocols. The PCI Security Council's deprecation of SSL v3 and TLS 1.0, along with SSL Labs' enhanced grading system, should drive servers towards more secure standards.
