SSL, TLS, PCI and your app
TLS superseded SSL a very long time ago. However SSL never really went away since it was still considered to be safe. That changed last year and this year. It is no longer safe to use and needs to be removed, else face the consequences. Going one step further, TLS 1.0 is also a bad idea. Utilizing TLS 1.2 is really the best option.
If you are writing an application and utilizing encryption from the operating system, then that should most likely take care of what needs to be done in the application itself. You will likely have to configure the host or web server, but that is outside of your app.
However, if you are writing an application and specifically bundling SSL and/or TLS, the time has come to think about and change what you are doing. The ramifications here are that if you sell your product to a customer who processes credit cards and they get dinged, your application will
Continue reading →