TLS and Depreciation

Owned by Tyler Martorano
Sept 12, 2019
smalllogo.png

TLS v1.0 and 1.1 Deprecation

At Konnektive, being a PCI Certified Service Provider, we take the protection of our customers' data very seriously. To ensure the highest security standards and promote the safety of your data, we are making security improvements and retiring older encryption protocols. To maintain alignment with these best practices and updated compliance requirements from the PCI Security Standards Council (PCI SSC), Konnektive will discontinue support for TLS version 1.0 and 1.1 to our application and API effective June 30, 2018.


Notice: According to our audit of current merchant connections, you are still using version 1.0 or 1.1, and action must be taken on your part to upgrade. Failure to upgrade by June 30, 2018 will result in these connections failing to connect to our servers.



TLS_1.png


WHAT IS TLS?


SSL/TLS encrypts a channel between two endpoints to provide privacy and reliability of data transmitted over the communications channel. You will often hear it simply referred to as "SSL". It is used by your browsers to securely connect to the Konnektive dashboard and also used by your server to send information to our API.

WHY YOU MUST UPGRADE TO TLS 1.2 OR ABOVE

While the PCI SSC postponed the migration completion date to June 30, 2018 for transitioning from TLS 1.0 and 1.1, Konnektive is still recommending to our customers that they update to version 1.2 or above as soon as possible as it is more secure.

  • Maintain integrity and authenticity of data.
  • The vulnerabilities within SSL and TLS 1.0 and 1.1 are serious and left unaddressed put organizations at risk of being breached. An attacker could perform a man-in-the-middle attack and passively observe the contents of the messages or spoof their own messages. The existence of the POODLE and Heartbleed exploits, among others, prove that anyone using SSL and early TLS risks being breached.
  • New installations are not part of the revised compliance date and still need to be TLS 1.2 or above.

WHAT ARE THE RISKS?

Failure to upgrade connections would potentially risk the integrity and the authenticity of the data being sent between the merchant and Konnektive. An attacker could perform a man-in-the-middle attack and passively observe the contents of the messages or spoof their own messages. Since Konnektive is shutting down support, failure to upgrade will result in your connections being terminated.

WHERE CAN I LEARN MORE?

If you are interested in learning more, we suggest reading this Migrating from SSL Early TLS Info.pdf from the PCI Security Standards Council.

HOW CAN I FIX THIS PROBLEM AND VERIFY THE SOLUTION?

When you open a secure connection, a protocol version must first be agreed upon by both the server and the client. Unless configured to do so otherwise, the server and the client will pick the best options that they both support according to the preference of the server. It's best to let this negotiation happen automatically so you can be sure that you are always using the best protocol specified by our server.

If you are one of the merchants affected, it is because your client is refusing to negotiate use of a protocol versions above 1.1. The reasons this may be happening will fall into one of 3 categories:

  • You are using an old version of a Konnektive library that is forcing a TLSv1.0 or or 1.1 connection.
  • You have added configuration to force 1.0 or 1.1 for one of our libraries, you have patched our library to force 1.0 or or 1.1, or your own custom client is incorrectly configured.
  • Everything is properly configured at the application level, but your runtime environment does not support above versions 1.1




This article was last modified: April 23, 2018, 4:30 p.m.