Many of you have probably received an email from Authorize.net, PayPal or other third party providers recently talking about disabling TLS 1.0 and 1.1. You may also have had to deal with TLS in your monthly PCI compliance scans. In this article I’ll cover what TLS is, what the security issues are, and how you can deal with the multitude of issues it causes.
What is TLS?
First, let’s talk about what TLS actually is and what it does. If you want the full technical explanation, Wikipedia covers it well. To summarize, TLS (short for Transportation Layer Security) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. For example, if a customer processes a transaction through Authorize.net on your web site, TLS would likely be used to encrypt that communication.
There are three versions of TLS – 1.0, 1.1 and 1.2, all of which are considered insecure except for 1.2. TLS 1.3 will be available soon, and will hopefully be a huge improvement as far as security and speed.
What are the security issues with TLS?
There have been quite a few exploits to TLS 1.0 and 1.1, most notably the POODLE attack from back in 2014. Essentially hackers have figured out what the weaknesses are in 1.0 and 1.1 and will continue to exploit them. And if the security protocol used to pass sensitive data back and forth is compromised, that means your client data can be compromised. You definitely don’t want that!
Why can’t TLS 1.0 and 1.1 just be disabled?
This is the major issue with TLS, and why it gives me so many headaches! Older browsers like Internet Explorer 10 have TLS 1.2 support disabled by default. Even older versions of Internet Explorer (7, 6) don’t have support for it at all. So if one of your customers tries to check out with one of those browsers and only TLS 1.2 is enabled, they simply won’t be able to communicate with the server. Here are the browsers that do not support TLS 1.2:
- Chrome version 29 and below
- Firefox version 26 and below
- Internet Explorer version 10 and below
- Safari 6 and below
Who the heck uses such an old browser you ask? You’d be surprised. Many companies don’t upgrade their operating systems due to legacy software that isn’t compatible with the new versions, so their employees are stuck using an old version of IE. It is more of a problem than you may think. Trust me when I tell you that you DO NOT want to walk a technically challenged customer through the steps required to enable TLS 1.2 in their browser!
In addition to browsers, there are some email clients that will not be able to connect to your server without TLS 1.0 and 1.1 such as older versions of Microsoft Outlook. Unlike browsers, Outlook upgrades are not free, so many people have REALLY old versions of Microsoft Outlook as their primary email client.
Deadlines for Upgrading
June 2018 is the absolute drop-dead date for upgrading everything to TLS 1.2. Authorize.net and PayPal have already required that their connections be via TLS 1.2, and now PCI compliance scans will automatically fail if they detect TLS 1.0 or 1.1 on your server.
What you need to do
If you are on a hosted platform like Spark Pay or Shopify, you are in the clear as they have already enabled TLS 1.2. However, if you are on a self-hosted platform like Pinnacle Cart, Magento or X-Cart, there are a few things that you will need to do.
First, you’ll need to make sure your hosting company has TLS 1.2 enabled on your server. Most PCI compliant hosts will already have this in place, but there are some who will require you to move to a new server. This should be something they do for you for free, as PCI compliance is pretty much required these days. So fight them on it if they give you any grief.
If you have your own server and are confident your customers aren’t using old browsers, you can have your host disable TLS 1.0 and 1.1 immediately and get rid of the issue for good! Just make sure that your email client supports TLS 1.2 or you won’t be able to retrieve your email. You can also just disable TLS 1.0 and 1.1 for web traffic and allow your older email clients to still use them. That will allow your scan to pass, but still let you get your email until you are able to upgrade your email client.
If your Google Analytics data is telling you that a good portion of your visitors are using older browsers, it is fairly easy to write a script to detect them, and give them a pop-up warning that they need to upgrade their browser in order to shop on your site. We’ve built this for Pinnacle Cart, so contact us if you are interested in adding it to your cart.
Hosted with us? Not to worry, we added support for TLS 1.2 over a year ago, so your Authorize.net account will continue to work as it always has! We also disabled TLS 1.0 and 1.1 earlier this month, so your PCI scan will pass with flying colors!
Need a New Host?
Is your host dropping the ball? We can move your site to our servers and handle all of this fun stuff for you. There is no charge for the move, and our hosting plans are only $40/month. Check our the details over here.
Questions? PCI Compliance issues? Completely lost? Contact us!