Last modified on May 31, 2018 at 1:46 pm
SYNOPSIS
Starting in June 30 2018, DigitalChalk will disable support for the older TLS 1.0 encryption protocol. Connections to and from DigitalChalk must begin using the TLS 1.2 (or TLS 1.1) encryption protocol at that time.
STRENGTHENING SECURITY
All websites that transmit or processes credit card data will drop support for TLS 1.0 to meet the requirements of the Payment Card Industry Data Security Standard Council (PCI DSS v3.1). To maintain compliance, DigitalChalk will also disable the use of TLS 1.0 for connections to and from DigitalChalk.
WHAT SHOULD I DO?
If your DigitalChalk organization or one of your customers is using a TLS 1.0 connection, they will not be able to access DigitalChalk system after TLS 1.0 support is dropped. This security change will impact:
- Web browser access
- Single-sign-on (SSO) authentication
- Web service interfaces (APIs)
WEB BROWSER ACCESS
If your DigitalChalk organization or one of your customers is using a web browser that attempts to establish an insecure connection to DigitalChalk, a blank webpage will be shown to user. Because this negotiation between the user’s web browser and the DigitalChalk servers is done before we even receive any information about a connection attempt, we will not be able to warn the user that they have attempted to connect using an insecure transport layer. As such, all that the user may see is a blank page.
SINGLE-SIGN-ON
If your organization uses SSO, CAS or SAML to authenticate users in DigitalChalk, you must verify that your identity provider can connect to our sandbox environment and authenticate successfully.
We’ve setup our sandbox environment to only allow the more secure TLS 1.1 and TLS 1.2 connections. Please use our sandbox environment to test and verify that you will be able to connect to DigitalChalk after June 30 2018.
WEB SERVICES
If your organization connects to DigitalChalk using REST web services, you must verify that you can connect to our sandbox environment and execute API calls.
We’ve setup our sandbox environment to only allow the more secure TLS 1.1 and TLS 1.2 connections. Please use our sandbox environment to test and verify that you will be able to connect to DigitalChalk after June 2018.
Here are a few examples of where you might find this configuration in your code:
PHP
(using OpenSSL 1.0.1) see http://php.net/manual/en/function.curl-setopt.php
curl_setopt($url, CURLOPT_SSLVERSION, 6);
C#
System.Net.ServicePointManager.SecurityProtocol ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;
Java8,9
java -Djdk.tls.client.protocols="TLSv1.1,TLSv1.2" MyApp
or
java.lang.System.setProperty("jdk.tls.client.protocols", "TLSv1.1,TLSv1.2");
Java7 (and older)
see http://www.oracle.com/technetwork/java/javase/documentation/cve-2014-3566-2342133.html
ADDITIONAL INFORMATION
PCI COMPLIANCE
All US e-commerce websites must be PCI DSS compliant. Starting with PCI DSS v3.1, TLS version 1.0 is no longer considered acceptable and must be phased out no later than June 30, 2018. All e-commerce sites should be routinely audited as part of the compliance process to maintain an active merchant account. Some scanning tools (like TrustWave) will flag sites which still make use of TLS 1.0.
https://www.pcisecuritystandards.org/security_standards/documents.php
BROWSER SUPPORT
TLS 1.1 and 1.2 support has been available in all major browsers for some time now. For reference, the earliest versions of each browser that, by default, offered support for TLS 1.1 and 1.2 are:
- Chrome 22 / 30 (TLS 1.1 / 1.2) – released 2012-09-25 and 2013-10-01, respectively
- Firefox 27 – released 2014-02-04
- IE 11 – released 2013-11-07 (Windows 7)
- Safari 7 – released 2013-10-22
https://en.wikipedia.org/wiki/Transport_Layer_Security
MICROSOFT INTERNET EXPLORER
As of January 12, 2016, Microsoft no longer provides security updates for any version of IE other than the most recent one available for their currently-supported operating systems. If, for example, a user is on Windows 7 and is using IE 10, they will no longer receive security updates for their browser. The only option will be for them to upgrade to IE 11.
https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support
After upgrading IE, you may want to consider using Enterprise or Compatibility mode as described here:
https://technet.microsoft.com/en-us/browser/dn508446
DEVICE/BROWSER SUPPORT TABLE
https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers