RustProof Labs: blogging for education (logo)

Stop Using SSL, Use TLS Instead

By Ryan Lambert -- Published March 24, 2016

Security matters. One of the bigger security issues I see in our online security that too many people are supporting outdated, insecure technologies. One of the big offenders is "SSL" (Secure Socket Layer). Recently, a new attack against SSL v2 was discovered, dubbed the "DROWN" attack. Part of what makes me wonder about this, is why do systems in 2016 still support protocols that have been known to be insecure for more than 5 years? Further, even the most recent version of the SSL protocol (v3) has been insecure since 2014 when the POODLE vulnerability was discovered.

In reality, SSL has been antiquated for quite some time being superseded by "TLS" (Transport Layer Security).

SSL Is Insecure; use TLS instead. I want to make clear that there is no secure SSL protocol remaining.

Why Admins Still Support SSL

One of the biggest reasons I see for admins to continue enabling SSL protocols is for backwards compatibility. I understand that desire, I don't like breaking backwards compatibility but when the security and privacy of myself, my business, and my client's data is at stake I have to err on the side of security whenever possible. Further, if you're claiming to be supporting older clients, really the only browser out there that doesn't support TLS by default is Internet Explorer 6. Check out the SSL/TLS chart on Wikipedia for more details about the versions of the major browsers.

Internet Explorer 6

IE6 was released in 2001 so is quite old, and I decided a few years ago to stop wasting time "fixing" my content to work well with IE6. This post from 2011 suggests that to support design efforts on IE6 plus modern browsers adds an additional 30-100% in costs to support. That's just the design and functionality side of things, not including security which is my focus here. Data breaches cost companies a lot of money, with the per-record cost of stolen data rising to $154 in 2015.

How Much Traffic Still Uses IE6

It takes significantly more effort, and therefore cost, to support outdated browsers. That leads me to ask how many people are still using IE6? Microsoft has an IE6 Countdown showing that less than 1% of the world-wide Internet traffic is still using IE6. Less than 1%! Yet to support that tiny minority fully would require significant effort in design, and requires leaving insecure SSL protocols enabled, leaving the security of your servers and your user's privacy at risk.

Disable SSL, only use TLS.

Please, please stop supporting insecure SSL protocols.

By Ryan Lambert
Published March 24, 2016
Last Updated March 24, 2016