Reply to post: Understand the risks

Does UK high street banks' crappy crypto actually matter?

Anonymous Coward
Anonymous Coward

Understand the risks

Wow, this gets muddy.

HSTS ensures HTTPS is used and is a big deal. SSL vs TLS1.0/1.1 vs TLS1.2 is another matter.

PCI DSS applies to organizations handling credit/debit card data (basically data belonging to others). That's why the focus is mostly on merchants and processing banks, the issuing banks which hold a lot more of the risk get less focus but don't get off the hook either.

As to the POS machines being exempt fro TLS1.2, NOT TRUE. They can continue to be used but must be shown to be safe. In many cases they are because of the way the use the crypto. The attacks like POODLE that precipitated this requirement have very specific use cases and won't apply to most of these devices. The details of this are well documented.

Similarly, 3DES is near the end of its useful life. It still has a role in POS and ATM devices, in part because those use cases are safer than a general purpose use case.

And if a bank wants to let their customers use SSL3.0 to access their non-PCI accounts, that is their risk decision to make.,

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019