Why use TLS instead of SSL?

Body

Sterling B2B Integrator users have been told in recent years that they should be using TLS security instead of SSL security.  Sometimes they are handed a mandate by their own company to use TLS, and sometimes they are being told by their partners that SSL is no longer acceptable.  I’d like to take a little time to discuss what this means, and why the change is being made.

First of all, a little about the terminology.  SSL and TLS describe the handshaking methods used to establish an HTTPS connection or an FTPS connection.  “HTTPS” is HTTP communication, which is used by Web browsers , but with an “S” added, which stands for “security”.  “FTPS” is the basic file transfer protocol used to send and receive data.

When you make a connection using a Web browser to a bank, e-mail account, or another WWW site where you may exchange personal or financial information, a secure channel is used.  The address in your browser begins with https://  It marks the connection as being secured by a certificate.  That certificate keeps your data safer.  It prevents anyone from reading what you transmit, except the WWW site and yourself.

“SSL” means “Secure Socket Layer”.  There were three levels of SSL: SSLv1 (or SSL 1.0), SSLv2, and SSLv3. They were all developed by Netscape Communications, the company that produced the first browser.  SSLv1 was a development concept, it was never released.  SSLv2 was released in 1995, and officially banned in 2011 because it was found to be extremely insecure.  See RFC 6176 https://tools.ietf.org/html/rfc6176.  SSLv3 was found to have severe vulnerabilities, too, in 2014, known as the POODLE Vulnerability https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566.  IBM warned our customers about the POODLE vulnerability in this security bulletin:  http://www-01.ibm.com/support/docview.wss?uid=swg21688904  SSLv3 was officially banned by RFC 7568 https://tools.ietf.org/html/rfc7568.

Those RFC articles are from the Internet Engineering Task Force (IETF).  The Internet is not inherently governable, but if it was, the IETF would be its governing body.  Here’s the wording in the RFC: “This document requires that SSLv3 not be used.”

Your browser can still support SSLv2 and SSLv3.  Sterling B2B Integrator can support them, too.  No one has to stop supporting SSLv2 and SSLv3 based on the mandate from the IETF.  However, it’s a really bad idea.

Note: No version of SSL is supported by the IETF.

“TLS” is “Transport Layer Security”.  The first of these, TLS 1.0, was developed in 1999 as a public version of SSLv3.   There are not a lot of differences between SSLv3 and TLS 1.0.  TLS 1.0 was originally intended to be backward compatible with SSLv3, but that functionality has since been dropped.

TLS 1.0 is not susceptible to the POODLE vulnerability.  It is susceptible to a less dangerous vulnerability known as BEAST https://nvd.nist.gov/vuln/detail/CVE-2011-3389.  TLS 1.0 has not yet been banned by the IETF, but there have been ongoing discussions regarding that since at least 2016.

TLS 1.1 was developed and released in 2006: RFC 4346 https://tools.ietf.org/html/rfc4346.

TLS 1.2 was first developed and released in 2008, then was updated in 2011 with RFC 6176 https://tools.ietf.org/html/rfc6176.  It is the current most secure method for HTTPS and FTPS handshaking.  Accordingly, it is the one that IBM recommends to be used when secure communications are required.

Support is occasionally asked if Sterling B2B Integrator supports TLS 1.3.  As of the end of 2017, TLS 1.3 has not yet been released, but it is under discussion.  Once the standard has been defined, our product development group will decide how and when it will be introduced into the product.

In summary, SSLv2 and SSLv3 should not be used because they have been banned by the IETF due to security vulnerabilities.  They are still supported by the major Web browsers, and by current versions of Sterling B2B Integrator.

The most secure handshaking standard available currently is TLS 1.2. 

If you have any questions or comments on this blog, please post them in the Comments section.  I will be happy to discuss them further.

If you have concerns about handshaking for Sterling B2B Integrator, please open a PMR with Support. They will be happy to assist.