Protect Your Customer Data - Update SSL/TLS Security Protocols

Whenever we send information over the internet, such as making a purchase on a website or submitting an application for credit, that information is sent across public channels that anyone potentially has access to.  To protect that information, we all depend on Secure Sockets Layer (SSL), and it's successor, Transport Layer Security (TLS) to authenticate the systems we interact with, and encrypt the data we are sending so that only the intended recipient can read and understand it.  These processes start with authentication of the server, followed by a "handshake", where a public key and private key established for the server are used in a complex mathematical calculation to produce a common shared secret between the server and user's system.  The shared secret is then used to encode and share a common encryption key that will be used to protect all subsequent communications for that session.  This ensures that only the server we are sending information to can actually read and understand that information.

Since these security measures are ultimately based on mathematics, the strength of that security is determined by the complexity of the mathematical calculations involved and how they are implemented.  These same factors also affect the types of attacks that are possible against these protections: key interception, cracking the encryption, and various mechanisms to identify values in protected information.  These attacks depend on finding mathematical shortcuts or weaknesses in the implementation of the security protocols to expose protected information.

In April of 2014 a major flaw of this third type was revealed in OpenSSL, a commonly used open-source package for SSL and TLS secured communications.  This flaw, which came to be known as “Heartbleed,” allowed a malicious attacker to retrieve additional information from a secure server that could compromise anything from user passwords to the server's private key, and affected a huge number of servers around the world.

It is no longer sufficient to just ensure that servers and programs make use of security protocols, they have to be maintained and updated to stay secure.  New algorithms are being developed all the time for increased security, and the implemented security protocols are constantly being improved, both to remove vulnerabilities and provide improved functionality or more advanced algorithms.  As the arms race between hackers and information security continues to escalate, numerous protocols and encryption methods that were once thought secure are now completely insecure.  Beginning in January 2017, Qualys SSL Labs and other internet security experts have recommended TLS version 1.2 as the minimum standard for acceptable secure communication.

Maintaining security is further complicated by "protocol downgrades", which can reduce the security of a server if less secure protocols are not disabled.  Disabling support for weaker protocols means that communications will fail with systems that don't support stronger protocols, so many web services still support them, even if their default configuration is for the most secure and up-to-date protocols.  What this effectively means, though, is that those less up-to-date service partners may be exposing your information if they use less secure protocols.

The bottom line is that we all have to keep our SSL/TLS security protocols up to date, and disable insecure protocols to protect our customer data.  

Security is our goal at LendPro.  To ensure the integrity of your data, we utilize the latest encryption technologies including TLS1.2  to ensure data is secure as it makes the journey from your system to our SOC 2 audited data center.

 

Ken Reinert

Software Analyst, LendPro