SmartDebit systems will be dropping support for SSL 3.0 connections on 31st January 2017. Post upgrade our webservers will only allow TLS 1.0, TLS 1.1 & TLS 1.2 protocols and will support 128 & 256 bit ciphers only.
Over the last few months, Bacs has been enforcing increased security to all systems that connect through the Bacs supply chain. They have called this change “SHA-256 SSL” and its basic aim is to increase and modernise the security and encryption in place that protects all data in transit for payments systems.
As a responsible supplier who is serious about the protection of your (and your customers’) data, we welcome this update. All of our systems support this change already but to ensure the security of the solution, there is one further place we need to upgrade security – SmartDebit customers’ connections. Right now, SmartDebit still accepts older security connections (such as SSL 3.0) from customers. However, as a consequence of the global security update, we will be dropping support for out-of-date communication protocols such as SSL 3.0 on 31st January 2017.
What does this mean for me?
If you are using older browsers or libraries to connect to our websites, APIs or FTP servers, you may experience issues once we drop support for insecure protocols. There is unfortunately no way round this but to upgrade, just as you would with any critical security update. All banks and other reputable data processors will be doing the same to reduce the chance of data loss.
You need to ensure you are using systems that support at least TLS 1.0 encryption, ideally TLS 1.2 (there is a deprecation date of TLS 1.0 in the middle of 2017) and a modern cipher suite.
How do I know if I need to do anything?
If you use internet banking through your browser, the chances are you already have the required levels of security, or the bank would not allow you to connect. However, it’s still worth checking as a couple of banks are running behind.
All modern browsers and API libraries support the highest encryption levels so the likelihood of being affected are small. We have also been monitoring the encryption levels requested by systems connecting to SmartDebit and the number that do not conform is a tiny fraction of total traffic.
If you use our API or FTP service, contact your own technical or integration team to make sure your systems support TLS 1.0 and the latest set of ciphers.
If you use our portals or websites, you can check your browser security level here:
The section showing “Version” should show something like the following:
If it doesn’t support at least TLS 1.0, you need to upgrade your browser or talk to your systems administrators about doing so. Browsers that do not support the latest security affect your security in all your transactions and will have multiple unaddressed security risks, not just with SmartDebit, so this is good practice in any case.
What about ciphers?
Your browser will encrypt data using one of various ciphers it has available to it. As part of this upgrade, we are dropping support for insecure ciphers (and anything below 128 bit) as well as upgrading the communications protocol. It’s perfectly possible to use an up-to-date communications method yet still use insecure ciphers, so this too is an important change. The ciphers we are specifically removing are RC4 and MD5. Modern systems should support these automatically so you only need to think about this if you have completed all the other recommendations and you still cannot connect.
For reference only, the list of ciphers we will be supporting after this change (with minor amendments if new ones are released) are:
SD admin, API, Secure FTP:
|TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) ECDH secp256r1 (eq. 3072 bits RSA) FS||256|
|TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) ECDH secp256r1 (eq. 3072 bits RSA) FS||128|
|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS||256|
|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS||128|
|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp256r1 (eq. 3072 bits RSA) FS 256||256|
|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp256r1 (eq. 3072 bits RSA) FS 128||128|
|TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 2048 bits FS||256|
|TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS||256|
|TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 2048 bits FS||256|
|TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 2048 bits FS||256|
|TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 2048 bits FS||128|
|TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 2048 bits FS||128|
|TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 2048 bits FS||128|
|TLS_DHE_RSA_WITH_SEED_CBC_SHA (0x9a) DH 2048 bits FS||128|
|TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 2048 bits FS||128|
SD Direct, SD Online:
|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp521r1 (eq. 15360 bits RSA) FS||256|
|TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH secp521r1 (eq. 15360 bits RSA) FS||256|
|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp521r1 (eq. 15360 bits RSA) FS||128|
|TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH secp521r1 (eq. 15360 bits RSA) FS||128|
You can also check ciphers your own browser supports using the tool at: https://www.howsmyssl.com/
Scroll down the page to “Given cipher suites” and ensure one of them matches what is in our list above. If it isn’t, a browser upgrade will fix the issue.
It’s 1st February and my systems have suddenly stopped working?
Security is everyone’s responsibility, but only you can upgrade your browser. If your systems were working in January and now do not, please ensure the following before you call SmartDebit support:
Your browser is the latest version – take a note of the type and version
Your API integration uses current libraries supporting TLS 1.0 – get a certification from your integration team showing what protocols and ciphers your systems can use
Get a copy of the results at https://www.howsmyssl.com/ to provide to the SmartDebit support team when you call.
Where can I find out more?
Wikipedia shows a list of all browser versions and their security support versions:
Bacs has several articles on this change:
The PCI scheme has information on upgrading from SSL to TLS: