<div dir="ltr">re: <a href="http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/" rel="noreferrer" target="_blank" style="font-size:12.8px">http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/</a><br style="font-size:12.8px"><div><br></div><div>> <span style="font-size:12.8px">The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS) [...] </span><span style="font-size:12.8px">Now the Council says it's just too hard for retailers to make the jump.</span></div><div><br></div><div>Speaking purely of point-of-sale systems, can someone help me understand why the payment card industry is still dealing with the problem of trusted and untrusted networks? Hasn't this problem been largely solved by transaction tokenization?</div><div><br></div><div>DNS servers are able to make zone updates across the public internet via TSIG[0]. And if my understanding of Apple Pay is correct, the tokenization system is agnostic to the POS transport protocol and should allow trusted transactions even on untrusted networks[1].</div><div><br></div><div>I can't help but feel we are squandering the opportunity to upgrade both the POS terminals _and_ payment card industry during the rollout of EMV POS terminals happening right now in the US.</div><div><br></div>[0] <a href="https://www.ietf.org/rfc/rfc2845.txt">https://www.ietf.org/rfc/rfc2845.txt</a><div>[1] <a href="https://www.apple.com/business/docs/iOS_Security_Guide.pdf">https://www.apple.com/business/docs/iOS_Security_Guide.pdf</a> pg. 35<br><div><span style="font-size:12.8px"><br></span></div></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 21, 2015 at 6:13 AM, Henry Baker <span dir="ltr"><<a href="mailto:hbaker1@pipeline.com" target="_blank">hbaker1@pipeline.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">FYI -- I can't wait for the hand-wringing to begin after the next big bank breach...<br>
<br>
"Five of the 40 audited apps failed to validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks"<br>
<br>
"30 per cent of [the apps] failed to validate incoming data"<br>
<br>
"15 per cent of the apps store unencrypted and sensitive information"<br>
<br>
"The world will therefore have to bumble along with known-to-be imperfect encryption for *two years* longer than planned"<br>
<br>
<a href="http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/" rel="noreferrer" target="_blank">http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/</a><br>
<br>
Security industry too busy improving security to do security right<br>
<br>
PCI Council delays SSL abandonment date to 2018, so cruddy credit crypto continues<br>
<br>
<a href="http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/" rel="noreferrer" target="_blank">http://www.theregister.co.uk/2015/12/18/ios_banking_app_audit/</a><br>
<br>
iOS banking apps security still not good enough, says researcher<br>
<br>
Repeat test throws up improved results from 2013 but problems remain<br>
<br>
18 Dec 2015 at 15:14, John Leyden<br>
<br>
The security of mobile banking apps has improved over the last two years but there's still scope for improvement.<br>
<br>
Ariel Sanchez, security consultant for IOActive, has revisited research into the topic first conducted two years ago to see if there's been any improvement.<br>
<br>
Although security has increased over the two years, many apps still remain vulnerable.<br>
<br>
As before, the research covered 40 mobile banking apps for iOS in use around the world. Sanchez confined himself to looking for client side security weaknesses or vulnerabilities and didn't include any server-side testing.<br>
<br>
His testing methodology is explained in much more detail in a blog post here. iOS does not name the apps or the banks who released the apps it tested.<br>
<br>
<a href="http://blog.ioactive.com/2015/12/by-ariel-sanchez-two-years-ago-idecided.html" rel="noreferrer" target="_blank">http://blog.ioactive.com/2015/12/by-ariel-sanchez-two-years-ago-idecided.html</a><br>
<br>
Five of the 40 audited apps failed to validate the authenticity of the SSL certificates presented, which makes them susceptible to Man-in-The-Middle (MiTM) attacks. And more than a third (35 per cent) of the apps contained non-SSL links throughout the application. This shortcoming would allow an attacker to intercept traffic and inject arbitrary JavaScript/HTML code in an attempt to create a fake login prompt or attempt similar scams.<br>
<br>
In addition 30 per cent of them failed to validate incoming data, leaving them potentially vulnerable to JavaScript injections. The results may not appear impressive but at least they are an improvement on results from 2013.<br>
<br>
The testing also covered binary and file system analysis. This phase of the audit revealed that 15 per cent of the apps store unencrypted and sensitive information, such as details about customers' banking accounts and transaction history, in the file system via sqlite databases or other plaintext files.<br>
<br>
"Most of the apps have increased transport security of the data by properly validating SSL certificates or removing plaintext traffic," Sanchez concluded. "This helps mitigate the risk of users being exposed to MiTM attacks."<br>
<br>
"Although the numbers are down overall, there are still a high number of apps storing insecure data in their file system. Many of them are still susceptible to client-side attacks," he added.<br>
<br>
Sanchez added that few of apps provide alternative authentication solutions, with most relying simply on username and password for authentication. Only 17 of the 40 (42.5 per cent) of the apps provided alternative authentication solutions to mitigate the risk of leaking user credentials and impersonal attacks.<br>
<br>
---<br>
<a href="http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/" rel="noreferrer" target="_blank">http://www.theregister.co.uk/2015/12/21/ssl_to_tls_migration_delayed_until_2018/</a><br>
<br>
Security industry too busy improving security to do security right<br>
<br>
PCI Council delays SSL abandonment date to 2018, so cruddy credit crypto continues<br>
<br>
21 Dec 2015 at 01:01, Simon Sharwood<br>
<br>
The Payment Card Industry Security Standards Council (PCI SSC) has decided to delay the deadline for migration from Secure Sockets Layer (SSL) to Transport Layer Security (TLS).<br>
<br>
Earlier this year, the Council decided the time to make the change was June 2016, a reasonable idea given that SSL gave the world the Poodle vulnerability.<br>
<br>
<a href="http://www.theregister.co.uk/2015/04/07/pci_revamp_ecommerce_network_security/" rel="noreferrer" target="_blank">http://www.theregister.co.uk/2015/04/07/pci_revamp_ecommerce_network_security/</a><br>
<br>
Now the Council says it's just too hard for retailers to make the jump.<br>
<br>
The canned statement (PDF) about the moratorium, issued deep into Friday US time, features the Council's general manager Stephen Orfei saying migration was expected to be simple, "but in the field a lot of business issues surfaced as we continued dialog with merchants, payment processors and banks."<br>
<br>
<a href="https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf" rel="noreferrer" target="_blank">https://www.pcisecuritystandards.org/pdfs/15_12_18_SSL_Webinar_Press_Release_FINAL_(002).pdf</a><br>
<br>
Orfei laid some of the blame at the feet of mobile devices, saying that retailers' efforts to secure transactions made on smartphones and fondleslabs, on top of "encryption, the SHA-1 browser upgrade and EMV in the US" together make for so much work that the SSL death deadline can't be met.<br>
<br>
"We're working very hard with representatives from every part of the ecosystem to make sure it happens as before the bad guys break in," Orfei says.<br>
<br>
The world will therefore have to bumble along with known-to-be imperfect encryption for two years longer than planned, a period during which The Register imagines "the bad guys" will do their very best take advantage of weak encryption.<br>
<br>
The new migration deadline will be formalised in the next version of the PCI DSS standard, due in April 2016.<br>
<br>
_______________________________________________<br>
The cryptography mailing list<br>
<a href="mailto:cryptography@metzdowd.com">cryptography@metzdowd.com</a><br>
<a href="http://www.metzdowd.com/mailman/listinfo/cryptography" rel="noreferrer" target="_blank">http://www.metzdowd.com/mailman/listinfo/cryptography</a></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature"><div dir="ltr">Stephen Wood<div><a href="http://www.heystephenwood.com" target="_blank">www.heystephenwood.com</a></div></div></div>
</div>