Another reason not to still use Windows XP or older versions of IE then.
Go full SHA-256 by June or get locked out, say payments bods Bacs
Online businesses in the UK will have to update their systems and adopt SHA-2 before June in order to avoid losing access to vital payment and money transfer services. Failure to change before a 13 June deadline will leave merchants unable to use Bacs Payment Schemes Limited (Bacs) to make salary or supplier payments or to …
COMMENTS
-
-
Friday 19th February 2016 12:42 GMT Alan W. Rateliff, II
If, reasonably or otherwise, you are using any networking kit which does not support anything over SSLv3/TLSv1, SHA1, or newer ciphers, and for which there are no, and never will be, firmware updates to correct, this is the perfect reason to keep an XP VM handy.
Printers, switches, routers, etc. Of course, the argument is they should be replaced. I get that and in most cases I am all in, but for the other cases there are perfectly legitimate reasons not to replace, or at least legitimate mitigations in place. (At the same time I also despise manufacturers who have firmware available to bring the secure interfaces into modernity but still ship with the old firmware installed which causes the browser to stomp on your fingers.)
I have had to reach for my "Internet Explorer (Windows XP Mode)" shortcut a few times working with network printer/scanners in small offices plenty of times.
-
Wednesday 17th February 2016 14:54 GMT Anonymous Coward
A lot of the merchant services providers have been doing a similar lockdown, as have most websites - and as of yet not a single update has needed to be done on our platform as we build modern software and we patched out SHA-1 a long time a go through good security practice.
Aside from our BACS connection, the provider of which is an approved BACS vendor and which didn't support SHA-256
So next time you transfer money, know it's safe in the core UK banking infrastructure. Just like your nudie pics are safe in iCloud.
-
-
Wednesday 17th February 2016 16:44 GMT Anonymous Coward
Er, because it accurately reflects the production environment? Things break big when certs expire or cipher-suites get deprecated and it's even trickier to identify and fix when it's machine to machine communications. Test systems do not necessarily mean self-signed certs, nor even freebie certs from Letsencrypt et al.
-
-
-
Friday 19th February 2016 14:59 GMT Bob Doe
Eh?
Where's the requirement to be using SHA-2 certs by 13th June? Maybe there isn't one, that's why I'm not having to install new certs on my HSMs.
... your Bacstel-IP software currently supports, or will be upgraded to support, SHA-2 SSL certificates and TLS 1.1/1.2 by 13 June 2016
... have a browser and operating system which will support SHA-2.
Only requirement I see is to be using a system that supports SHA-2 (and be using TLS).