The future of SSL

Discussion to talk about software related topics only.
Post Reply
User avatar
dciliske
Posts: 623
Joined: Mon Feb 06, 2012 9:37 am
Location: San Diego, CA
Contact:

The future of SSL

Post by dciliske »

Recently we have released an update to our crypto library to add TLS support (1.0, 1.1, and 1.2). If anyone is using crypto currently, and is not looking at updating, well, it appears that the end is coming quickly for SSL.

Deprecating Secure Sockets Layer Version 3.0
Abstract

The Secure Sockets Layer version 3.0 (SSLv3), as specified in RFC
6101, is not sufficiently secure. This document requires that SSLv3
not be used. The replacement versions, in particular, Transport
Layer Security (TLS) 1.2 (RFC 5246), are considerably more secure and
capable protocols.

This document updates the backward compatibility section of RFC 5246
and its predecessors to prohibit fallback to SSLv3.

...

3. Do Not Use SSL Version 3.0

SSLv3 MUST NOT be used. Negotiation of SSLv3 from any version of TLS
MUST NOT be permitted.

...
If you're not aware, in RFCs, the word MUST is a reserved word, and means that implementations are required to carrier out a specific behavior.

So, again, if you're using crypto, and are not currently using one of the new releases, I'd suggest working towards that end.

-Dan
Dan Ciliske
Project Engineer
Netburner, Inc
Post Reply