I am asking this question directly of you all, imagine you have just received notification of the POODLE Attack, and suddenly you realise SSL v3 is no longer secure and all your communications are no longer safe or potentially at risk of being intercepted.
How long did it take your organisation to migrate from SSL v3 to TLS v1.2 and once again be secure?
You may be surprised how long it actually took in reality - obviously I will not give you the answer immediately. As I am keen to understand how long it took your individual organisations to change over.
Then think about this: There is a 1 in 7 chance that by 2026, that Public Key Cryptography including RSA ECDH, Diffie Hellman will be cracked by relevant cryptographic capable Quantum Computers and by 2031 there is a 1 in 2 chance of the same.
So how prepared is your organisation to migrate to Post Quantum Cryptographic algorithms once they are released formally by NIST in 2024?
Let discuss this openly as it will affect us all in a few years or possibly a shorter time scale.
An interesting response, I have asked the same question in a few forums, including a Mentee overseas - either no response, or it just took a long time to implement and convince people to do so, including their internal executives to take it seriously. I will give it another few days, and give you the general consensus with an example.
Okay, I have give you a few days to ponder upon the question I posed:
"How long did it take your organisation to migrate from SSL v3 to TLS v1.2 and once again be secure?"
Well, this is what happened:
Several months later in June 2015, SSL v3 was deprecated.
Official advice was move to TLS v1.2.
The payments industry was issued guidance to migrate away from SSL v3 by 2016. Two years from the attacks, and one year from deprecation.
The industry fought back “This is not possible” and it was forced back to 2018.
This change was relatively minimal for Post Quantum!
This is the challenge we face, and the challenge regulators may face, if they ask industries to change faster than they can.
This is shocking, when you think about the issues with One Time Pads historically for instance....
As a reminder to the above and the impact it had during WWII and beyond.
Think about the Venona project: https://en.wikipedia.org/wiki/Venona_project
There was a very important lesson learnt from VENONA, if you think about Harvest-Now Exploit-Later (HNEL) or (store now decrypt later) and the transition to Post Quantum Cryptography.
The program to decrypt the VENONA messages lasted 37 years!!!!
If you have sensitive data today (e.g., health data) ....
My advice is do not ignore this, plan for it today....
Have you started planning how to secure it against the progress in quantum computing from now until 2060?