The SEC announced that along with EDGAR 15.3, they would also be rolling out some SSL changes. The SEC will remove support for SSLv3 from their server, requiring all EDGAR filers to use the TLSv1.0 protocol. For the average filer, “SSL” and “TLS” may be completely foreign terms. You might be wondering: “What is SSL?” and “Does this affect my EDGAR filings?”. To know what the SSL changes mean at the SEC for your company, you’ll first have to take a short trip into the land of Internet security.
Friday, August 21. 2015
A Very Basic View of Internet Traffic
When you send something to the SEC, that data doesn’t go directly from your computer to the SEC’s computer. The data is sent through a series of routers. A router is a computer that controls the flow of information, determining the best path for data to travel in the Internet. These routers are run and owned by Internet Service Providers, which include both large companies that manage thousands of routers and small providers that operate only a handful. There may be multiple paths your information can take to reach the destination. This is part of what makes the Internet great. Any computer or server can be added/removed at any time without compromising the flow of information. However, it also means your “raw” data is visible to many parties, but using robust encryption protocols makes the data useless to potential interlopers.
This structure adds lots of flexibility and robustness and makes the Internet what it is. No single router needs to know the whole Internet; it only needs to know some parts and which direction to send data that has a destination that it doesn’t know. If a router goes down, the whole Internet does not. Other routers can just send information around the portion that has gone down (at least, most of the time).
SSL and the Internet
SSL stands for Secure Sockets Layer. It is a protocol your computer uses to securely talk to another computer (such as the SEC). When you send data across the Internet, your computer selects a protocol from a list of protocols available to it and to the destination computer. Your computer will then send the data to the destination computer, using the selected protocol to secure your data. TLS (Transport Layer Security) is the newer version of the SSL protocol.
The important part of each of the acronyms is “Secure” / “Security.” Given the way information flows through the Internet, your data can go through many other computers and many geographic locations. If a hacker compromises a router, they can watch all the traffic that passes through it. SSL/TLS allows your computer and the destination computer to encrypt the data in such a way that, even if someone can read the sent information, they cannot understand what they are reading.
You may be asking yourself: “Can hackers take over a major router?” In short, it's very unlikely to happen. But there are much easier ways for someone to “listen in” or even intervene on your Internet traffic. For example, when you use WiFi, your data is broadcast through the air. The wireless access point can read it, but so can other computers. This is commonly known as a “Man in the Middle Attack”. Not using WiFi or other wireless networks reduces the risk, but doesn’t eliminate it.
There will always be malicious users looking to exploit any weakness they can find in your Internet security.
Why the SEC is changing
There are a number of reasons to change SSL settings. Eliminating the presence of hackers on the Internet just isn’t possible, so there are always programmers working to create stronger, safer protocols. As new protocols are created, other protocols become outdated and get replaced. Think of it as everyone moving to use a better padlock for their cargo container even though the one they already own has never been breached by a thief.
Sometimes, there are vulnerabilities in the way the protocol works. Cryptography usually relies on how hard it is for a computer to guess the key. As computers become more advanced, they become better at guessing the keys. Other times, there may be some sort of problem in the way a software provider has implemented a protocol or even a problem with the protocol itself. You may remember one of our previous blog posts about the POODLE vulnerability or remember hearing about “Heartbleed” in the news. POODLE was a problem with the protocol itself, whereas Heartbleed was an issue with the way the protocol was written by some developers. These kinds of things happen, and they are almost impossible to anticipate or prevent. Once the cat is out of the bag and the vulnerability has been discovered, that protocol is abandoned and replaced by something secure, or it is patched by the developers to correct the vulnerability.
Fortunately, if you keep your computers up to date, you won’t have to do anything to change your EDGAR filing process when the SEC’s SSL changes become effective. You likely won’t even notice that the change has happened.
However, if you are using old software or older operating systems, you could run into trouble. In this case “old” means software or operating systems released circa year 2000. The SEC is removing support for SSLv3 from their server and requiring EDGAR filers to use the TLSv1.0 protocol. If you’ve read the POODLE blog post, that is the step Novaworks (and many other companies) took to better secure their websites about a year ago. (If you clicked the link to reload this page as secure, your browser will be able to access the EDGAR System after the change.)
The same steps listed in that blog post to correct the vulnerability apply here. Windows XP users must install Service Pack 3 and Internet Explorer 7. Windows Server 2003 users must have Service Pack 2 and Internet Explorer 8 installed. Then you must make certain that you have TLS 1.0 or later checked in the computer’s Internet Options.
The SEC’s release mentions Java versions as well. You shouldn’t have to worry about Java unless you use software written in Java to communicate to the SEC’s website. Simply talk to the support team for any software you use to file to the SEC to verify that the software will continue to operate correctly once the SEC implements these changes to their server. If you use software from the GoFiler family, you’ll be just fine. GoFiler is written in C++.
What you can do moving forward
As long as you keep up to date with your operating system and browser, you should be fine. Keeping track of everything that is going on in the security world can be challenging. Luckily, major software providers take security very seriously and tend to patch problems quickly. But just remember, it is always up to the end users to install software updates. What good is ordering that new padlock if you never put it on?