Last modified on May 31, 2018 at 1:46 pm
Starting in June 30 2018, DigitalChalk will disable support for the older TLS 1.0 encryption protocol. Connections to and from DigitalChalk must begin using the TLS 1.2 (or TLS 1.1) encryption protocol at that time.
All websites that transmit or processes credit card data will drop support for TLS 1.0 to meet the requirements of the Payment Card Industry Data Security Standard Council (PCI DSS v3.1). To maintain compliance, DigitalChalk will also disable the use of TLS 1.0 for connections to and from DigitalChalk.
WHAT SHOULD I DO?
If your DigitalChalk organization or one of your customers is using a TLS 1.0 connection, they will not be able to access DigitalChalk system after TLS 1.0 support is dropped. This security change will impact:
- Web browser access
- Single-sign-on (SSO) authentication
- Web service interfaces (APIs)
WEB BROWSER ACCESS
If your DigitalChalk organization or one of your customers is using a web browser that attempts to establish an insecure connection to DigitalChalk, a blank webpage will be shown to user. Because this negotiation between the user’s web browser and the DigitalChalk servers is done before we even receive any information about a connection attempt, we will not be able to warn the user that they have attempted to connect using an insecure transport layer. As such, all that the user may see is a blank page.
If your organization uses SSO, CAS or SAML to authenticate users in DigitalChalk, you must verify that your identity provider can connect to our sandbox environment and authenticate successfully.
We’ve setup our sandbox environment to only allow the more secure TLS 1.1 and TLS 1.2 connections. Please use our sandbox environment to test and verify that you will be able to connect to DigitalChalk after June 30 2018.
If your organization connects to DigitalChalk using REST web services, you must verify that you can connect to our sandbox environment and execute API calls.
We’ve setup our sandbox environment to only allow the more secure TLS 1.1 and TLS 1.2 connections. Please use our sandbox environment to test and verify that you will be able to connect to DigitalChalk after June 2018.
Here are a few examples of where you might find this configuration in your code:
(using OpenSSL 1.0.1) see http://php.net/manual/en/function.curl-setopt.php
curl_setopt($url, CURLOPT_SSLVERSION, 6);
System.Net.ServicePointManager.SecurityProtocol ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
java -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" MyApp or java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.1,TLSv1.2");
Java7 (and older)
All US e-commerce websites must be PCI DSS compliant. Starting with PCI DSS v3.1, TLS version 1.0 is no longer considered acceptable and must be phased out no later than June 30, 2018. All e-commerce sites should be routinely audited as part of the compliance process to maintain an active merchant account. Some scanning tools (like TrustWave) will flag sites which still make use of TLS 1.0.
TLS 1.1 and 1.2 support has been available in all major browsers for some time now. For reference, the earliest versions of each browser that, by default, offered support for TLS 1.1 and 1.2 are:
- Chrome 22 / 30 (TLS 1.1 / 1.2) – released 2012-09-25 and 2013-10-01, respectively
- Firefox 27 – released 2014-02-04
- IE 11 – released 2013-11-07 (Windows 7)
- Safari 7 – released 2013-10-22
MICROSOFT INTERNET EXPLORER
As of January 12, 2016, Microsoft no longer provides security updates for any version of IE other than the most recent one available for their currently-supported operating systems. If, for example, a user is on Windows 7 and is using IE 10, they will no longer receive security updates for their browser. The only option will be for them to upgrade to IE 11.
After upgrading IE, you may want to consider using Enterprise or Compatibility mode as described here: