Welcome to Finextra. We use cookies to help us to deliver our services. We'll assume you're ok with this, but you may change your preferences at our Cookie Centre.
Please read our Privacy Policy.

Accept
Channels
Blog article
See all stories »

Channels

Security Payments

Group

Fintech
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.

Data security in fintech: from TLS to ALE

Recently, after reading a great engineering blog post on OCSP and CRL verifiers in Go, and after further discussion in the community, I’ve got an insight that made me really gloomy. 

Mass of projects use technologies without paying attention to their security holes. For instance, financial applications adopt TLS (transport layer security) protocol, often disregarding to configure it properly and support only the latest versions (1.2 and 1.3) and  TLS extensions. Fintech projects often get into this trap.

The typical mistake is to chase after technology and ignore the real state of security of the project itself and the technologies it uses. 

For example, OCSP (Online Certificate Status Protocol) and CRL (Certificate Revocation List) are TLS extensions, which could be highly useful for fintech infrastructures and network security controls, as they play significant roles in establishing trust to remote parties (servers, applications). Moreover, OCSP and CRL support is a must-have for applications that process sensitive data, like banking applications or cryptocurrencies wallets.

OCSP allows any party of a TLS handshake to ask the designated authority (CA, or OCSP responder server) whether a provided TLS certificate is still valid. CRL is a file that contains a list of certificates revoked by a single certificate authority (CA), with serial numbers and reasons for revocation. 

The support of OCSP and CRL is crucial for fintech applications to prevent unauthorised connections from malicious or misconfigured apps to sensitive data.

But many programming languages do not support OCSP and CRL out-of-the-box, and projects’ teams need to homebrew them. As developers are not security engineers, they make mistakes during implementation, increasing the chances of attacks and security incidents.

If developers can’t enable or implement OCSP/CRL, they can implement application level encryption (ALE) instead. The idea is very different: the application encrypts sensitive data before sending and decrypts on retrieval. When done properly, ALE mitigates the risk of exposing the data to a malicious party or person in the middle.

This OCSP/CRL example is only one small thing. Efficient data protection requires a multilevel approach and effort (aka “defence-in-depth”). Otherwise, using even the best tools with leaky but famed technologies is just an illusion of security. Stay in reality, pay attention to risks and threats.

9542

Channels

Security Payments

Group

Fintech
External | what does this mean?
This content is provided by an external author without editing by Finextra. It expresses the views and opinions of the author.
Report abuse

Comments: (0)

Join the discussion
Pavlo Farb

Pavlo Farb

Security Engineer

Cossack Labs

Member since

11 Jun 2021

Location

London

Blog posts

16

More from Pavlo

This post is from a series of posts in the group:

Fintech

Fintech discussions and conversations around the development of fintech.

See all
Community
See all blogs »
Fintech 

How innovation in encryption is helping secure the credit card approval process

Ghazi Ben Amor

Ghazi Ben Amor

Operational Risk Management 

DORA – Navigating the EU’s Operational Resilience Landscape

Antony Fung

Antony Fung

Fintech 

The importance of risk management in trading

Kate Leaman

Kate Leaman

Digital Identity Management 

Navigating the digital identity landscape: A blueprint for financial services competitiveness

Adam Preis

Adam Preis

Now hiring

See more