Disabling TLS 1.0 and TLS 1.1
Date: 2020-05-13
Due to security best practices, we have decided to disable SSL access using the now deprecated TLS1.0 and TLS1.1 protocol versions.
These are considered insecure because in certain conditions it can allow a bad actor to abuse flaws in these protocols and compromise the data privacy and security that the server is offering, with possible repercussions extending to legitimate clients as well.
From March 2020, major browsers have ended support for these two protocols:
- Apple – Complete support will be removed from Safari in updates to Apple iOS and macOS beginning in March 2020.
- Google – Remove support for TLS 1.0 and 1.1 in Chrome 81 (expected on March 17).
- Microsoft – Remove TLS 1.0 and 1.1 in the first half of 2020
In addition, PCI Data Security Standard (DSS) requires that all websites needed to be on TLS 1.1 or higher in order to comply.
To keep up to date with security best practices, we believe this change is warranted on our systems as well.
TLS 1.2 Cryptographic Ciphers
To further our security integrity we will also be disabling the following two SSL ciphers
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
which are used in the TLS 1.2 protocol, but are also considered insecure
When will this happen, what do I need to do?
In the short term nothing. We will not be switching off these algorithms until we are happy it will not affect our customers. We expect to do this within a few months of today, however, the time frame will be ultimately dictated by our customers.
- Public / Trade / Dealers primarily using a web browser. We do not expect this to be a major issue for modern browsers, keep your systems patched and up to date and you will not notice any change.
- B2B/VRM/XML/JSON users. We understand that some legacy systems may not be able to switch to the more modern ciphers without manual intervention. We will be monitoring our SSL traffic to identify which customers may need to upgrade their systems and work with you to help them transition or provide an alternative endpoint. We will be in contact with your Technical Support team directly.