Thursday 8 September 2016

TLS 1.2

I got an email from Barclays Merchant Services (BMS), back in April, telling me that on August 31 2016, all transactions had to be done using the TLS protocol, version 1.2.

Actually, that's too late; it should have been done by June 30, 2016.

The reason for this is that weaknesses have been discovered in the old SSL protocols. Even TLS 1.0 is no longer good enough for PCI DSS compliance. TLS 1.1 is dodgy, and even TLS 1.2, which is the best we have riight now, has weaknesses.

Let me explain about "weaknesses".

In the context of cipher security, it means that if you hired Alan Turing, built a computing machine that hasn't been invented yet, and spent a couple of years at it, you might be able to read a few messages several years down the line. Since Turin died a long time ago, this isn't actually going to happen. Nevertheless, we all have to conform to the security theater that is PCI DSS.

It's security theater because the real elephant in the security world is people using the same password for loads of things. As you might have read, some big sites have been hacked, millions of username/password pairs captured and published, and right now I'm seeing an attack on my servers from a botnet of several hundred computers trying to guess a working username and password by working down a huge list. That's the real threat. And no-one knows what to do about it (I'm firewalling off that botnet), except to tell users "don't use the same password", which in a world where people are willing to reveal their passwords for chocolate, is going to work about as well as a chocolate teapot.

Anyway. Back in April, I was asked to make this change, deadline August 31, 2016.

My response was, "Sure, I'll do that, do you have a server I can test my changes on?" Because I really don't want to go live with an untested system.

No, they didn't. But they were working on it.

In May, June, July and August they sent me reminders. I kept asking "Have you set up a test system yet?" No, they hadn't. They knew they needed one, but they hadn't done it yet. Cutting it a bit fine, aren't you? For a firm, unbreakable deadline of August 31?

So August 31 came and went, and I was up to my ears in sorting things out for my new fast internet link (which is going very well, thank you) and Bucksnet, the other company I use for card transactions told me the same thing, except they didn't set a deadline, on account of a deadline of August 31 would have been a bit futile, it being early September now.

Oh well. I guess I'd better do something about this. So I retired my old billing server, set up several years ago using Fedora 9, and installed a shiny new server using Fedora 24, which is the latest. And then I called Bucksnet, because they're small, and give each of their techies a telephone, whereas BMS are big, and their techies don't have a telephone (I know this because A) I can't phone them, and B) they never call me back when I leave a message for them). It's a crying shame, but I'm not going to buy phones for them.

So the techie at Bucksnet said that yes, they have set up a server that I can use for testing, and he gave me the URL, and that server rejects anything except accesses using TLS V1.2. So if I can access that server, I'm golden.

So I tried, and it wouldn't.

So I called Bucksnet and asked if they had any suggestions, and they did! I did this:

yum install -y 'perl(LWP::UserAgent)'
yum install -y 'perl(LWP::Protocol::https)'
yum install -y 'perl(Crypt::SSLeay)'

which installs the named items from the Big Heap of Linux Software, and tried again. Success! And they put a png file of their logo on that server, and I was able to download it, using the TLS V1.2 protocol. So far, so good. Now will the same thing work for BMS?

Well, it should. I also tried this SSL/TLS testing site, and that passed it as "good".
So then I tried it on BMS, and it rejected every transaction I sent. Bummer. Then I realised, hey, I changed the server, different IP address, I need to log onto their management thingy and tell them to expect data from a different IP address.

So I did that, and in doing it, I made a really stupid mistake, and it took me about an hour to work out what my mistake was, and there's no point in explaining it because it was a mistake so humungously stupid that no-one else would make it, and when I corrected that mistake, it all worked.

I think it worked. I mean, the transactions came back as authorised they way they should, but I'm pretty sure that they haven't actually enforced the TLS F1.2 yet because the firm unbreakable deadline has passed, and I'm guessing that the majority of developers have totally missed it, including BMS becaue they haven't provided a test platform.

Apparently, they're waiting for their supplier, Ingenico, to do that.  Which is silly, because it wouldn't be that difficult for them to do it themselves. You'd use the dummy card number 4111 1111 1111 1111 which is always used for testing, and you'd send a transaction, and get back "Congratulations, you're using TLS V1.2!". Or not, as the case may be.

So if anyone needs help in implementing TLS V1.2 on their systems, I'm available, and my daily rates are eyewateringly enormous.

No comments:

Post a Comment