0

Is SSL the most efficient way for creating a encrypted communication between the user's mobile to the backend server?

I understand that there is a flaw in SSL, so I was wondering is there other alternative that I can go for or should I keep the option of using SSL.

mobile payment in this case is like credit card payment (not with paypal just credit card)

Ale
  • 236
  • 1
  • 8
James Yeo
  • 23
  • 1
  • 7
  • I have a feeling this has been previously answered, so don't take it personally if it gets closed as a duplicate. – Rory Alsop Oct 14 '14 at 11:35
  • @JamesYeo could you elaborate on the flaw in SSL? I'd check out [How does SSL/TLS work?](http://security.stackexchange.com/questions/20803/how-does-ssl-tls-work) – RoraΖ Oct 14 '14 at 11:41
  • Use SSL/TLS and ensure that you're properly validating the certificate. If you directly send the credit card number to the PSP without touching your own server (I strongly recommend doing so, else you'll have lots of expensive fun with PCI) you simply need to do what their API requires (most likely just SSL). – CodesInChaos Oct 14 '14 at 13:50

1 Answers1

1

SSL is probably not the most "efficient" way, but I'm not aware of any alternative that would be worth going to.

Mobile devices had WTLS to streamline the process for lower-bandwidth devices, but that's not a very viable system... While you could roll your own, the rule of thumb (for crypto) is never roll your own.

Flaws have been found in SSL, and addressed; and they will be again. However, your bank and your credit card company still use SSL, because it's the only widely supported method of providing reasonable security.

If the server in your case is hosted by your payment provider as @CodesInChaos suggests, they most likely only support SSL. If you're planning on terminating the encrypted connection on your own server... you should use SSL or expect massive hassles with your PCI (DSS and/or PA-DSS) certification.

In short... Just use SSL.

gowenfawr
  • 72,355
  • 17
  • 162
  • 199