TLS 1.0 Support removal

Update, 7/5/17: TLS 1.0 is no longer supported by Finalsite.

Following recommendations from the PCI Standards Security Council (a group of credit card industry organizations which cooperate to establish standards for things like online payments), Finalsite will no longer support TLS 1.0 encryption after July 1, 2017.

What is TLS 1.0, and why should I care about it?

TLS 1.0 is an encryption protocol, which is a way to keep network communications (such as web traffic, emails, form responses, text messages - anything that can be sent via the internet) private so that only the sender and the receiver can read it. TLS 1.0 is one method of performing encryption, but it has been supplanted by newer methods, creatively named TLS 1.1 and TLS 1.2. 

Sounds great. So what's wrong with it?

TLS 1.0 is, under certain conditions, vulnerable to technical exploits that can leak data that should otherwise be unavailable. As a result, the PCI SSC has determined that TLS 1.0 be completely deprecated no later than September, 2017 (Edit: this has since been pushed back to June 30, 2018). TLS 1.1 and TLS 1.2 are built around different, more modern encryption techniques which are not vulnerable to those exploits.

TLS 1.0 has been in use since 1999. TLS 1.1 arrived in 2006, and 1.2 came on the scene in 2008. This means that any browser made in the last 10 years already supports the secure TLS 1.1 and 1.2 protocols.

Only browsers that were released almost 20 years ago, and which have not been updated since, are still stuck using TLS 1.0. This is a vanishingly small proportion of site users, and this change is not expected to have an impact on site availability. TLS 1.0 has been out of use since it was shown to be less than totally secure; this update only makes that official by removing the capability to use TLS 1.0 from modern browsers.

What about TLS 1.1?

TLS 1.1 is still accepted under the PCI SSC specification, and so Finalsite will continue to support it.

Out of what is probably an abundance of caution, some payment gateways such as Authorize.net will discontinue support for TLS 1.1 at the same time as they discontinue TLS 1.0. Because modern browsers are already using TLS 1.2 by default, deprecating any standard below 1.2 should not have a significant impact on most users.

What do I have to do?

Nothing. Encryption protocols are handled by servers, not by websites, so Finalsite will handle this as part of our standard server maintenance.

If you'd like to confirm the possible impact of this change on your organization (or lack thereof), you can start by doing a web (Google) search for "tls 1.0 deactivation test."  This should present a number of websites that can test whether your organizations' browsers will be supported after this update.  Here's one we found that was built by Salesforce.com: https://tls1test.salesforce.com/s/

If your browser passes the test, you should see a webpage similar to this: http://fnlst.com/TUCz.  If your browser displays an error page, we recommend that you upgrade to the latest version of the browser and try the test again.

Does this impact my content that's shared on other sites?

It's very unlikely (in other words, "definitely probably not!") 

Encryption protocols on a site are handled by whoever manages the servers rather than the website itself. Generally speaking these are large organizations with numerous clients, and they are going to remain on top of important issues such as this. And again TLS 1.0 is so old in internet terms, and replacements have been available for so long, that this issue is more administrative than practical in nature and is not expected to have any major impact on the vast majority of web users, regardless of which sites they visit.

 

 

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request

Comments

0 comments

Please Sign in to leave a comment if you don't see the comment box below.