Security can’t afford to take a vacation: strengthen your application’s security with Synergy/DE 10.3.1b
By James Sahaj
Project Manager, Synergy .NET compiler
Earlier this year someone booked a flight on a major airline using my credit card. They probably went somewhere nice, like Hawaii, where they could enjoy a Mai Tai, adorned with a paper umbrella, while sinking their toes into a sparkly sandy beach and gazing upon a postcard-perfect orange sunset. Problem is, it wasn’t me! I wonder how they got the card. Did I swipe it through a card skimmer? Did a store where I had used it get hacked? In my case, because I seldom used the card, I’m assuming the latter. With credit card fraud on the rise, many of you reading this article have probably gone through a similar experience. This brings us to today’s topic: What are you going to do about security in your own applications?
Because there have been so many recent security breaches, industry experts no longer consider SSL2 and SSL3 protocols to be secure. In fact, current browsers and other products completely disable the use of these protocols. This is because hackers are able, through various attacks, to downgrade to this lower encryption and get access to data supposedly protected by SSL3. Other security flaws make even TLS1.0—the first iteration of the next generation of cryptographic protocols—vulnerable. Although TLS1.0 is still widely used, it is being superseded by TLS1.1 and TLS1.2. For detailed information about attacks against TLS/SSL, click here.
If your application handles credit card transactions, you’ll be familiar with PCI. It’s the information security standard for organizations that handle any of the major credit cards. Starting in June 2016, in order for a website to be PCI-compliant, it must use the latest TLS protocol, TLS1.2; SSL and early TLS versions will not be allowed. (See section 2.2.3 of the PCI Data Security Standards document.) Some older operating systems such as HP-UX (PA-RISC), Vista, and Windows Server 2008 (and, of course, the unsupported-but-still-clinging-to-life XP) are simply not capable of being PCI-compliant. OpenVMS is not currently capable of being PCI-compliant, but an expected SSL release should be available before the end of the year to make it so. In addition, versions of Synergy/DE on UNIX below 10.3.1 and on Windows below 10.1.1 cannot be used for PCI-compliance. For xfNetLink .NET and xfNetLink Java, version 10.3.1b or higher is required.
Another security standard that is of concern for some Synergex customers in the U.S. is the one imposed by HIPAA. Currently, HIPAA compliance requires TLS1.0/TLS1.1/TLS1.2 for business communication and TLS1.1/TLS1.2 for government communication of sensitive data.
With the release of Synergy/DE 10.3.1b, the default SSL protocol is now TLS1.0/TLS1.1/TLS1.2, and you have the option to specify that only the most secure protocols (TLS1.1/TLS1.2) be used. All Synergy products that include encryption functionality to handle data transfer over a network have been updated: the HTTP document transport API, xfServer and xfServer client, xfServerPlus, and the three xfNetLinks—Synergy, Java, and .NET.
In a future version, we plan to change the default protocol to TLS1.1/TLS1.2. Note that this change could break your code if you’re using the defaults and haven’t updated your OpenSSL recently. And using SSL on the older platforms mentioned above, which don’t support protocols above TLS1.0, will no longer be supported. I encourage you to take advantage of this time (and the new options we’ve added to Synergy’s encryption features) to get your Synergy applications up to speed with the newer protocols. This will enable you to not only be ready for future versions of Synergy, but also to offer your customers the most secure applications available right now.
Hackers never stop trying to exploit weaknesses in security, which is why OpenSSL continually updates its releases to keep up with the ever-changing security landscape. Just this year, OpenSSL has gone from version 1.0.1j to 1.0.1p (as of this writing). Here is the extensive list of changes. If you use any of Synergy/DE’s products or features that use encryption, we recommend that you regularly update your systems with these changes. Many operating system manufacturers incorporate OpenSSL in their OS these days. Typically in these situations, they fall behind on the version number but may port many of the security fixes back into their current SSL offering. Regardless of whether you install it directly or rely on the version in the OS, it’s important to keep up with improvements in OpenSSL, as they can be critical to your application’s effectiveness and your customers’ data.
Even if the encryption in your Synergy application doesn’t require PCI or HIPAA compliance, it’s still good practice to keep it as secure as possible. I want to encourage all Synergy developers to keep up with the latest security offerings, install Synergy 10.3.1b, and start using the most secure protocols and ciphers available. As they say in Hawaii, do it “wikiwiki!” (quickly). If you don’t keep up to date, just remember: Hackers never take a break, unless they’re on vacation, enjoying a free Mai Tai on your credit card. Aloha!
For more information about using the new security features in Synergy/DE 10.3.1b, go here.