Microsoft has announced that it is removing SSLv3 support in both Internet Explorer (according to VentureBeat) and Azure Storage (according to Redmond Mag) on Tuesday, February 10. The company is not the first to stop supporting the technology, but this announcement should be one of the final straws for companies still supporting it.
Mozilla stopped supporting SSLv3 in November 2014. Oracle updated 19 Java vulnerabilities, while also disabling SSLv3 entirely on Tuesday, January 20. On the same date, Google Chrome removed SSLv3 support.
One of the biggest reasons for the move away from SSLv2 and v3 are their vulnerabilities. SSLv2 is a deprecated protocol and has a wide range of known vulnerabilities. SSLv3 is vulnerable to the POODLE attack, discovered in October of 2014.
In the fall, we wrote about how you can monitor your third parties' vulnerability to POODLE. This will eventually factor into a company's BitSight Security Rating as well. (We will announce when that feature is live.)
BitSight is adding two new SSL annotations:
Allows insecure protocol: SSLv2
Allows insecure protocol: SSLv3.
Currently, in order to check if a company is vulnerable to the POODLE attack, a customer has to run the POODLE test separately. This test is limited in that it only checks the company’s primary domain. Incorporating this test into the TLS/SSL diligence risk vector means that customers don't have to run the POODLE test separately for entities, that all domains controlled by a company are tested for the vulnerability, and that being vulnerable to POODLE is actually reflected in the company’s rating.
The ratings for companies that still support SSLv2 or SSLv3 may get lower because of the update.
Within the BitSight platform, customers can hover over the TLS/SSL graph on the Diligence page to see the percentage of a company’s TLS/SSL certificates with each grade (Good, Fair, Neutral, Warn, and Bad). In the chart beneath it, the reason for each certificate's grade is given, so it is easier for IT teams to fix problems with their certificates and improve their network security. (It also could cause a bump in the company's Security Rating.)
As time goes on, organizations are taking on more and more new digital transformation initiatives to become increasingly agile and boost productivity — dramatically transforming the number of digital touchpoints employees interact with on...
An effective third party cyber risk management program both identifies potential threats and finds ways to mitigate them. Organizations should aspire to the highest possible standards when it comes to their security posture. To do so, they...
Following an increase in ransomware cyber attacks, most notably May 2017’s WannaCry attack, U.S. public sector entities are starting to see the effects of these attacks on the almost $4 trillion municipal debt market. As a result, issuers...
© 2021 BitSight Technologies. All Rights Reserved. | Privacy Policy | Security | For Suppliers
Contact Us | BitSight Technologies | 111 Huntington Ave, Suite 2010, Boston, MA 02199 | +1-617-245-0469