
Ask HN: How to deal with vendors who run outdated TLS? - nvahalik
Someone I know uses a custom point-of-sale system that is tied to their business. It does not only order management, but it also processes transactions and handles customer information.<p>Today I get a frantic message from this person that their browser says the site is insecure and refuses to load it. They cannot access their order information or process payments.<p>This person is runs a small (franchised) business. But they are worried about the security of the system that they are using.<p>I put in the URL for the POS system into the ssllabs.com tests and sure enough, it scores an &quot;F&quot;, runs TLS 1.0, etc.<p>What makes matters more complicated is that there has been some chargeback fraud happening. It is probably unrelated to this, but it makes one wonder.<p>Given that there are PCI considerations, is there any recourse as a franchisee to something like this? They could refuse to use the system, but are afraid of losing orders or being accused of some franchise agreement breach.<p>My advice so far has been to yell as loud as possible, provide documentation,  make as much noise as possible, and use cash&#x2F;check&#x2F;PayPal to process payments until the provider get the issue resolved. The provider was frustrated that this person wouldn&#x27;t just use Internet Explorer, since that&#x27;s what they suggest everyone else to do.<p>Any advice here? What would you do?
======
blueatlas
I've run up against this multiple times for apps that were hosted on shared
servers. In both instances we had to move the apps to dedicated virtual
servers so that TLS v1.0/1.1 could be disabled.

None of the providers would disable TLS v1.0/1.1 and won't say when they will.

Also realize that some enterprise security products are also starting to block
or throw warnings due to the host having old SSL/TLS protocols enabled.

~~~
nvahalik
If the headers being sent by the server are correct, then the software being
used _should_ actually support TLS 1.2. Why they continue to persist in not
allowing it is beyond me.

------
matt_s
Who is responsible for the PCI considerations? The POS system company or the
franchisor?

Start looking at other POS systems immediately if possible. If that system's
owners do not take security seriously, ditch them.

One option, which would likely hurt your friends business, is to go public
about that entire franchise using insecure payment systems.

Put an ATM in the lobby/outside and go cash only.

~~~
nvahalik
This is something I've often considered as well. It's not clear to me how it
works because each franchisee has their own merchant account.

The other ideas, while valid, are not an option in this case.

------
CloudNetworking
I would move away to another vendor, as an outdated TLS version is just the
tip of the iceberg. If you don't move away you are knowingly putting your
customer's data at risk.

