SSL, TLS, PCI and your app
TLS superseded SSL a very long time ago. However SSL never really went away since it was still considered to be safe. That changed last year and this year. It is no longer safe to use and needs to be removed, else face the consequences. Going one step further, TLS 1.0 is also a bad idea. Utilizing TLS 1.2 is really the best option.
If you are writing an application and utilizing encryption from the operating system, then that should most likely take care of what needs to be done in the application itself. You will likely have to configure the host or web server, but that is outside of your app.
However, if you are writing an application and specifically bundling SSL and/or TLS, the time has come to think about and change what you are doing. The ramifications here are that if you sell your product to a customer who processes credit cards and they get dinged, your application will either need to be updated or be out. Essentially if your application is vulnerable then so is their environment. This is not something that you want to deal with, especially if you are writing the application now and have not published it, or if you can update in your next cycle.
Why this is now more important is due to two different events:
- Exploits against the protocols. SSL and TLS 1.0 both had issues in the last few months.
- PCI DSS 3.1 was released on April 15th.
If you write software for customers who process credit cards then it would be a good idea to get at least mildly familiar with what the PCI DSS is. This is the guiding bit of compliance that is what a lot of your customers will be using. It looks like a checklist, however it is more guidance on what should be done at a bare minimum in order to address security.
This is just one of the many items you have to consider when writing software with regards to encryption. The export laws are a huge concern of course, along with the usual testing and development cycles.
This is the last nail in the coffin for SSL. Don’t ignore this if you’re writing applications with encryption in mind.