TLS 1.0 deprecation

Having our customer security in highest regards, we hereby announce that TLS1.0 security protocol is deprecated for all our hosted XTRF instances and will be disabled soon. This protocol has some known security flaws, that cannot be resolved other by disabling it. While all the currently known vulnerabilities are fixed, it does not provide sufficient confidentiality guarantees in the future. The subsequent revisions, mainly TLS 1.2 which is the currently recommended version, are already supported for few years by modern browsers, therefore the impact should be minimal. The affected browsers, still having noticeable usage, are:

  • Internet Explorer 10 and older

  • Android built-in browser before Android 5.0

  • Most browsers on Windows Vista and older due to lack of platform support

  • Java 7 and older as a HTTPS client without proper configuration.

We plan to communicate with the affected customers and resolve the expected issues before they happen. The expected shutdown of this protocol is expected between April 1st and May 25th, depending on the progress. Please verify and update your client software until then.


UPDATE: 

Two more updates about the status of secure connections to our hosted XTRF:

  • As the TLS 1.1 usage is nearly zero, we will disable it alongside TLS 1.0 - all modern browsers support and use TLS 1.2
  • Since the TLS 1.3 standard has been finalized recently, we will introduce it on our platform within next few weeks. TLS 1.3 brings faster connection establishment and improved security. There should be no incompatibilities, as the TLS 1.2 is expected to remain in place for a few more years.


For more technical details please see:

https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation-browsers.php

This article was helpful for 1 person. Is this article helpful for you?