SSL/TLS Protocol Support
TLS 1.2 to become the minimum TLS protocol level for all API endpoints
TLS: Transport Layer Security
TLS is the underlying protocol that enables HTTPS encryption and provides secure communication channels over the internet. TLS, or Transport Layer Security, is a widely used cryptographic protocol that ensures data security during communication over a network. The TLS protocol, like its predecessor SSL (Secure Sockets Layer), is primarily designed to enable reliable, authenticated, and secure communication between the client and the server.
Here's how TLS works:
- Certificate Authorities (CAs): Certificate Authorities are entities responsible for issuing digital certificates that validate the ownership of public keys by legitimate organisations. CAs ensure the authenticity and trustworthiness of server certificates, thereby establishing trust in the TLS connection.
- TLS Handshake: The TLS handshake is a series of steps where the client and server negotiate the parameters of their secure connection and exchange cryptographic keys. This process involves verifying server certificates, generating and exchanging session keys, and establishing encrypted communication channels.
HTTPS Secure Communication
HTTPS is an extension of HTTP, the protocol used for transmitting data over the internet. However, HTTPS encrypts the data exchanged between your device and our servers, adding an extra layer of security. Here's why HTTPS is essential:
- Data Confidentiality: With HTTPS, all data transmitted between your browser/device and our servers is encrypted, preventing unauthorised parties from eavesdropping on your communications.
- Data Integrity: HTTPS ensures that the data exchanged between your device and our servers remains intact and unaltered during transmission. This protects against data tampering and manipulation by malicious actors.
- Authentication: HTTPS uses digital certificates to verify the authenticity of our servers, ensuring that you are connecting to the legitimate platform and not a malicious imposter.
Importance for all Customers
It is imperative to prioritise the use of HTTPS and TLS for the following reasons:
- Data Protection: HTTPS and TLS encryption ensure the security and confidentiality of your data transmissions, protecting sensitive information from unauthorised access and interception.
- Trust and Compliance: By utilising HTTPS and TLS, you demonstrate a commitment to data security and compliance with regulatory standards, enhancing trust and mitigating the risk of non-compliance.
- Modern Standards: TLS 1.0 and TLS 1.1 no longer meet modern encryption and privacy standards. By migrating to TLS 1.2 or higher, you ensure that your communications are secured using the latest cryptographic protocols.
Older TLS Versions
The greater technical community has identified TLS 1.0 and TLS 1.1 to no longer meet modern standards for encryption and privacy. We aim to provide these protections to all of our customers.
In light of this, we will no longer support TLS 1.0 and TLS 1.1 in the near future.
What actions need to be taken?
To ensure a smooth transition, we kindly request your cooperation in making the following updates:
- Update to HTTPS Please update all the URLs used to access our API endpoints from HTTP to HTTPS. This simple change will ensure that your communications are encrypted and secure.
- Support for TLS 1.2 or higher: Please work with your IT, Security, and Engineering teams to ensure your production environment is properly configured to support TLS 1.2 or higher.
- Operating System Update: We recommend ensuring that your servers are running on the latest version of your chosen operating system (Linux or Windows) and that all security patches are up to date. This will help mitigate any potential security vulnerabilities and ensure optimal performance.
Troubleshooting - Components to check:
There are several layers of your infrastructure to check.
- Operating System SSL library
- Application server security components
- Network proxy
- Firewall
Often, you need only to upgrade your operating system’s SSL libraries. However, it's possible you will need to update your HTTP client's or helper library's underlying dependencies.
Because every software system is different, you will need to consult with your internal teams to understand the best approach for upgrading your system. We hope the above list provides a good starting point.
Updated 7 months ago