cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Caute_cautim
Community Champion

How long did it take your organisation to change from SSL v3 to TLS v1.2?

HI All

 

I am asking this question directly of you all, imagine you have just received notification of the POODLE Attack, and suddenly you realise SSL v3 is no longer secure and all your communications are no longer safe or potentially at risk of being intercepted. 

 

How long did it take your organisation to migrate from SSL v3 to TLS v1.2 and once again be secure?

 

You may be surprised how long it actually took in reality - obviously I will not give you the answer immediately.  As I am keen to understand how long it took your individual organisations to change over.

 

Then think about this:  There is a 1 in 7 chance that by 2026, that Public Key Cryptography including RSA ECDH, Diffie Hellman will be cracked by relevant cryptographic capable Quantum Computers and by 2031 there is a 1 in 2 chance of the same.

 

So how prepared is your organisation to migrate to Post Quantum Cryptographic algorithms once they are released formally by NIST in 2024? 

 

Let discuss this openly as it will affect us all in a few years or possibly a shorter time scale.

 

Regards

 

Caute_Cautim

 

 

5 Replies
Caute_cautim
Community Champion

@All

 

An interesting response, I have asked the same question in a few forums, including a Mentee overseas - either no response, or it just took a long time to implement and convince people to do so, including their internal executives to take it seriously.  I will give it another few days, and give you the general consensus with an example.

 

Regards

 

Caute_Cautim

Caute_cautim
Community Champion

Okay, I have give you a few days to ponder upon the question I posed:

 

"How long did it take your organisation to migrate from SSL v3 to TLS v1.2 and once again be secure?"

 

Well, this is what happened:

 

Several months later in June 2015, SSL v3 was deprecated.

 

Official advice was move to TLS v1.2.

 

The payments industry was issued guidance to migrate away from SSL v3 by 2016.   Two years from the attacks, and one year from deprecation.

 

The industry fought back “This is not possible” and it was forced back to 2018.

 

This change was relatively minimal for Post Quantum!

 

This is the challenge we face, and the challenge regulators may face, if they ask industries to change faster than they can.

 

This is shocking, when you think about the issues with One Time Pads historically for instance....

 

Regards

 

Caute_Cautim

 

 

Caute_cautim
Community Champion

As a reminder to the above and the impact it had during WWII and beyond.

 

Think about the Venona project:  https://en.wikipedia.org/wiki/Venona_project

 

There was a very important lesson learnt from VENONA, if you think about Harvest-Now Exploit-Later (HNEL) or (store now decrypt later) and the transition to Post Quantum Cryptography.

 

The program to decrypt the VENONA messages lasted 37 years!!!!

 

If you have sensitive data today (e.g., health data) ....  

 

My advice is do not ignore this, plan for it today....

 

Have you started planning how to secure it against the progress in quantum computing from now until 2060? 

 

Regards

 

Caute_Cautim

 

 

 

 

 

 

Soniya-01
Newcomer II

We prioritized this switch because of security concerns. First, we identified all systems using SSL v3, then we updated and tested each one separately. Teamwork and thorough testing ensured a smooth transition without disrupting services. Regular communication with stakeholders kept everyone informed about the process. Upgrading from SSL v3 to TLS v1.2 depends on various factors like the complexity of the system and the organization's readiness. It usually takes a few weeks to a few months.

Caute_cautim
Community Champion

@Soniya-01   Thank you for your update and obviously you had that situation under control.

 

It appears you will need to start planning for Q-Day now and ensuring that your organisation at least commences a Cryptographic Bill of Materials (CBOM) rather like a SBOM for software.  To ensure you fully understand where, what, how, your algorithms are and what they are used as this migration for Post Quantum Cryptography will take years. 

 

Regards

 

Caute_Cautim