On my previous post 'Disabling cryptographic protocols for PCI compliance (focused on SSL 3.0 and TLS 1.0)' I mentioned how can you disable incoming SSL 3.0 and TLS 1.0 connections, by tweaking schannel settings in the Windows registry. Along with it, I also mentioned how to tweak ServicePointManager security settings to modify what cryptographic protocols shall be used for outgoing connections. On this post, I'm going to demonstrate another possible solution for this problem by modifying strong cryptography settings of all .Net based applications.
MSDN has a ton of information about this topic, from database setup to SqlClient configuration, however if you are fairly new to this topic you might get overwhelmed with all the available information. My goal for this blog post is to simply the idea behind this concept so anybody can understand the basics. Just keep in mind that the Network setup can be far more complex, but the fundamentals will be the same.
PCI DSS (Payment Card Industry, Data Security Standard) requires that cryptographic protocols with known vulnerabilities, must be disabled (recently introduced in revision 3.1). This includes SSL 2.0, SSL 3.0 and TLS 1.0, meaning that after June of 2016, any environment supporting those protocols will automatically fail a PCI audit. At the time of this writing, only TLS 1.1 and TLS 1.2 should be enabled (TLS 1.3 still in draft phase).
Social networks are, without a question, one of the greatest technological achievements of the last decade. It's hard to imagine a world without them. Even if you spend no time keeping up with your virtual persona, and you despise the ones that do, you must acknowledge the impact of Social networks in today’s society. It's around us in the real world; just look at all the junk mail from last week and the abundance of "like us on Facebook", or "follow us on Twitter", or "check us out on Google+"… Turn on the TV and check the little hashtag at the corner of the screen. Go to a restaurant and do a FourSquare check-in to get the latest deal. It's literally everywhere.
A common trend that I see with Software Development teams is the absolute need to over-engineer prototype solutions. "Hey Mark, can you build me a website where I can upload the photos from my phone?". Two months later Mark comes back with a budget estimate of two million dollars to cover hiring and infrastructure costs and a three year roadmap... "Dude, I just want a website to upload my photos... It will cost me 3 years and 2 million?". Seriously Mark, why couldn't you focus on the goal, keep it small and simple? Why did you have to go "all-in" right from the start?