TLS vs. SSL. What Security Protocol Should You Be Using?

In the credit union and banking industry, it is essential to keep confidential information safe. Now that financial records are maintained entirely through online databases, it is more important than ever to implement security features that will protect customers, banks, and credit unions from hackers. TLS (Transport Layer Security) and SSL (Secure Socket Layers) are cryptographic security protocols that authenticate data and provide a secure connection for your server. Both of these protocols were created to provide a secure connection, but which is most effective for banks and credit unions?

SSL 2.0 is the original protocol developed by Netscape in 1995, however, it was quickly replaced by SSL 3.0 in 1996. In 1999 TLS 1.0 was introduced as an upgraded protocol based upon SSL 3.0. Any three of these protocols could be used interchangeably, until SSL 2.0 and 3.0 protocol were deemed too susceptible to security breach and denounced by the IETF. Websites that continue to use SSL protocols receive a downgraded user experience through security warnings and other notifications that let the user know the website may not be secure.

As a result of the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack that allowed encrypted information from to be extracted from a SSL 3.0 server, the US government has mandated that all sensitive and HIPPA-compliant communications, such as those conducted within credit unions and banks, must be conducted through TLS protocol. TLS is now the industry standard as it eliminates security issues associated with SSL protocol, and protects encrypted information from being stolen in attacks like POODLE.

TLS has been updated and upgraded in later versions of the protocol, and the TLS 1.0 protocol is now being phased out as well. TLS 1.1 and 1.2 are more secure than version 1.0. TLS 1.0 is susceptible to BEAST attacks that target encrypted transactional information on sites like PayPal and Gmail. Starting on June 30th, 2018 websites that accept credit card payments must use TLS 1.1 or 1.2, although the NIST (National Institute of Standards and Technology) recommends using version 1.2.

So what if your site doesn’t accept credit card payments? Is it still okay to use SSL or early versions of TLS? Simply put, it’s up to you. Most browsers will allow the use of any SSL or TLS protocol. However, credit unions and banks should use TLS 1.1 or 1.2 to ensure a protected connection. The later versions of TLS will protect encrypted codes against attacks, and keep your confidential information safe. To stay up to date on the latest news in communication technology, subscribe to our blog!