SSL is dead, what now

[johannes]

I got today this newsletterinfo from my CERT:

SSL Is Officially Declared Dead
---------------------------------------------
On January 30, 2015, QSAs received the latest edition of the Council's Assessor Newsletter. Buried in that edition was the following statement. "The impacting change is related to several vulnerabilities in the SSL protocol. Because of this, no version of SSL meets PCI SSCs definition of strong cryptography, and updates to the standards are needed to address this issue." ... Therefore, those of you still using SSL to secure transmissions containing cardholder data (CHD) need to ...
---------------------------------------------
https://pciguru.wordpress.com/2015/02/07/ssl-is-officially-declared-dead/

Does anybody has more info about this, what would this mean for servers and hosting, any thoughts?

 

[Vaporizer]

To be fair SSL has been dead for some time now, it has several severe vulnerabilities including POODLE. Server owners are advised to only use TLS, preferably TLS 1.2, and reject SSL connections.

 

[DirectAdmin Support]

Correct, it's nothing really new.
To expand on what Vaporizer said, DA and Apache installs will use ciphers that disable all SSL versions, in favor of TLS.

Feel free to peruse this list and compare with what you have to ensure you're up to date.
http://help.directadmin.com/item.php?id=571

Note that we still call https "SSL", but in reality, it's not using any SSLvX version, it's using TLSv1.X (or should be, with the correct ciphers)
"SSL" is still just a general term for an encrypted connection.

So the Package item in DA called "SSL" is referring to the ability to use "https", and does not refer to which encryption type is used in that https connection.

John