You may have heard of internet vulnerabilities like POODLE or HEARTBLEED in the press. It’s these type of exploits that have urged the PCI Council to mandate all websites and applications away from TLS v1.0.
UPDATE: We will be retiring support for TLS v1 and v1.1 on November 30th. We have compiled a list of handy tools to help you update your system:
Although, the The Payment Card Industry Security Standards Council (PCI SSC) is focused primarily on cardholder data, we have a passion for following best practices and security standards here at FireText, and recommend upgrading to TLS v1.2 for accessing FireText, along with every website / service on the web.
What is SSL/TLS?
From the the PCI Security Standards Blog:
“Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems.”
Basically, in FireText terms when you access the web app or API with out-dated browsers or code libraries such as OpenSSL, then the protocol they use to communicate is out-dated too and potentially open to some vulnerabilities.
What can I do?
Generally, the vast-majority of our customers are perfectly ok! Most web browsers have supported TLS 1.2 for several years.
The following browsers DO NOT support TLS 1.2 and it’s best to upgrade:
- Google Chrome 29
- Firefox 26
- Internet Explorer 10
- Safari 8
- iOS 4
- Android 4
If you’re using newer versions, then you’ll be good.
If using the API, you may need to check your connection and you can use a handy tool such as: https://www.howsmyssl.com/s/api.html
Each language and library is different, but here are the popular ones that may be of concern.
These languages will need significant changes/upgrades in order to work:
- Java 6u45 / 7u45
- .NET before 4.5 (does not support TLS 1.2)
- .NET 4.5 (must have setting changed to explicitly enable TLS 1.2)
Note: Languages such as Ruby, PHP, & Python rely on the underlying operating system’s ssl version, such as:
- OpenSSL 0.9.8
- NSS 3.19
Many of our API customers also use the Curl library to make requests, so we recommend also updating this to allow the use of more recent versions of TLS by default.
The date which we’ll be no longer be supporting TLS v1 is 30th November 2016