SSL/TLS
What is SSL? Definition and concept
SSL (Secure Sockets Layer) is a cryptographic protocol that encrypts communication between a browser and a web server to protect transmitted data. Developed by Netscape in the nineties, it was the first standard that allowed sensitive information to be sent over the internet without being intercepted by a third party.
Today, SSL is technically obsolete. Its successor, TLS (Transport Layer Security), replaced it in 1999 with more robust algorithms. Even so, the term SSL remains the most widely used in the industry to refer to the encryption layer that activates the HTTPS protocol and displays the padlock in the address bar.
The PCI DSS v4.0 standard prohibits the use of SSL and early versions of TLS as a security control, except in POS POI terminal connections verified as non-vulnerable.
How SSL works on a website
A secure connection is established through a process called a handshake:
- The browser requests the server's identity.
- The server responds with its SSL certificate, which includes the public key and data from the issuing Certificate Authority (CA).
- The browser verifies that the certificate is valid, not revoked, and originates from a trusted CA.
- If everything is correct, the browser generates a session key, encrypts it with the server's public key, and sends it.
- The server decrypts it with its private key, and the encrypted session begins.
- From that moment on, all data travels protected through symmetric end-to-end encryption.
Regulatory impact and applicable security of SSL
Requirement 4 of PCI DSS v4.0 demands that PAN data be protected with strong cryptography during transmission over public networks, accepting only verifiable and non-revoked certificates.
The PSD2 Directive and the EBA's RTS on SCA require payment service providers to protect the confidentiality of user credentials in every communication.
Any e-commerce processing card payments needs a valid SSL certificate (TLS 1.2 or higher) to meet these requirements and prevent browsers from flagging the site as "Not Secure".
Vulnerabilities that broke SSL
Several attacks demonstrated the weaknesses of SSL and accelerated the migration to TLS:
| Attack | Year | What it exploited |
|---|---|---|
| BEAST | 2011 | Flaw in SSL 3.0 and TLS 1.0 CBC mode to decrypt sessions |
| Heartbleed | 2014 | Bug in OpenSSL that leaked up to 64 KB of server memory |
| POODLE | 2014 | Forced downgrade to SSL 3.0 to exploit its padding scheme |
| DROWN | 2016 | Servers with SSLv2 active allowed modern TLS connections to be broken |
Heartbleed affected up to 17% of SSL-supported web servers worldwide, exposing private keys and data of millions of users.
Operational advantages and disadvantages of SSL/TLS certificates
Advantages of an updated SSL/TLS certificate:
- Protects card data and credentials in transit against interception.
- Complies with PCI DSS and PSD2 regarding secure transmission.
- Increases buyer trust by displaying HTTPS and the padlock icon.
- Google uses HTTPS as a ranking signal for SEO.
Operational disadvantages:
- An expired certificate generates alerts that destroy checkout conversion.
- Obsolete protocols (SSL 3.0, TLS 1.0) provide a false sense of security.
- Requires continuous maintenance: renewal, revocation monitoring, and cryptographic updates.
Was this term useful?
Leave a Comment