back to article Go full SHA-256 by June or get locked out, say payments bods Bacs

Online businesses in the UK will have to update their systems and adopt SHA-2 before June in order to avoid losing access to vital payment and money transfer services. Failure to change before a 13 June deadline will leave merchants unable to use Bacs Payment Schemes Limited (Bacs) to make salary or supplier payments or to …

  1. TheVogon Silver badge

    Another reason not to still use Windows XP or older versions of IE then.

    1. Paul Crawford Silver badge

      Using XP if fine so long as you don't have it on the Internet. So run old software in a VM of XP if you want, but as you say - not for internet banking, remotely accessible SCADA, etc.

    2. Alan W. Rateliff, II
      Paris Hilton

      If, reasonably or otherwise, you are using any networking kit which does not support anything over SSLv3/TLSv1, SHA1, or newer ciphers, and for which there are no, and never will be, firmware updates to correct, this is the perfect reason to keep an XP VM handy.

      Printers, switches, routers, etc. Of course, the argument is they should be replaced. I get that and in most cases I am all in, but for the other cases there are perfectly legitimate reasons not to replace, or at least legitimate mitigations in place. (At the same time I also despise manufacturers who have firmware available to bring the secure interfaces into modernity but still ship with the old firmware installed which causes the browser to stomp on your fingers.)

      I have had to reach for my "Internet Explorer (Windows XP Mode)" shortcut a few times working with network printer/scanners in small offices plenty of times.

  2. Anonymous Coward
    Anonymous Coward

    A lot of the merchant services providers have been doing a similar lockdown, as have most websites - and as of yet not a single update has needed to be done on our platform as we build modern software and we patched out SHA-1 a long time a go through good security practice.

    Aside from our BACS connection, the provider of which is an approved BACS vendor and which didn't support SHA-256

    So next time you transfer money, know it's safe in the core UK banking infrastructure. Just like your nudie pics are safe in iCloud.

    1. scoobie

      Very good for live systems. But why on earth do companies like the payment processors insist on the highest levels of certificates for testing and development purposes? It just imposes additional development costs.....

      1. Anonymous Coward
        Anonymous Coward

        Er, because it accurately reflects the production environment? Things break big when certs expire or cipher-suites get deprecated and it's even trickier to identify and fix when it's machine to machine communications. Test systems do not necessarily mean self-signed certs, nor even freebie certs from Letsencrypt et al.

  3. depicus

    It's odd that TLS v1.1 is a requirement of PCIDSS so how is anybody still using anything lower.... but I know a few mayor sites are.

  4. Anonymous Coward
    Anonymous Coward

    About

    Fucking time.

    that is all...

    Oh, hold on a minute, isn't modern, un-crackable encryption on the *verge of being made "illegal" by those whom purport to know better then the rest of us????

    *if several idiots in power have their way.

  5. batfastad
    Headmaster

    Not TLS?

    > Bacs is adopting the new security, called SHA-256 SSL.

    Great idea. But dude, if you're going to try and sound knowledgeable at least get it right. SSL (2 and 3) are deprecated per RFCs 6176 and 7568.

  6. Bob Doe
    WTF?

    Eh?

    Where's the requirement to be using SHA-2 certs by 13th June? Maybe there isn't one, that's why I'm not having to install new certs on my HSMs.

    ... your Bacstel-IP software currently supports, or will be upgraded to support, SHA-2 SSL certificates and TLS 1.1/1.2 by 13 June 2016

    ... have a browser and operating system which will support SHA-2.

    Only requirement I see is to be using a system that supports SHA-2 (and be using TLS).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019