What is TLS and how does it affect you?
Many of you have probably received an email from Authorize.net, PayPal or other third party providers recently talking about disabling TLS 1.0 and 1.1 in the coming months. You may also have had to deal with TLS in your monthly PCI compliance scans. In this article I’ll cover what TLS is, what the security issues are, and how you can deal with the multitude of issues it causes.
What is TLS?
First, let’s talk about what TLS actually is and what it does. If you want the full technical explanation, Wikipedia covers it well. To summarize, TLS (short for Transportation Layer Security) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. For example, if a customer processes a transaction through Authorize.net on your web site, TLS would likely be used to encrypt that communication.
There are three versions of TLS – 1.0, 1.1 and 1.2, all of which are considered insecure except for 1.2. TLS 1.3 will be available soon, and will hopefully be a huge improvement as far as security and speed.
What are the security issues with TLS?
There have been quite a few exploits to TLS 1.0 and 1.1, most notably the POODLE attack from back in 2014. Essentially hackers have figured out what the weaknesses are in 1.0 and 1.1 and will continue to exploit them. And if the security protocol used to pass sensitive data back and forth is compromised, that means your client data can be compromised. You definitely don’t want that!
Why can’t TLS 1.0 and 1.1 just be disabled?
This is the major issue with TLS, and why it gives me so many headaches! Older browsers like Internet Explorer 10 have TLS 1.2 support disabled by default. Even older versions of Internet Explorer (7, 6) don’t have support for it at all. So if one of your customers tries to check out with one of those browsers and only TLS 1.2 is enabled, they simply won’t be able to communicate with the server.
Who the heck uses such an old browser you ask? You’d be surprised. Many companies don’t upgrade their operating systems due to legacy software that isn’t compatible with the new versions, so their employees are stuck using an old version of IE. It is more of a problem than you may think. Trust me when I tell you that you DO NOT want to walk a technically challenged customer through the steps required to enable TLS 1.2 in their browser!
In addition to browsers, there are some email clients that will not be able to connect to your server without TLS 1.0 and 1.1 such as older versions of Microsoft Outlook. Unlike browsers, Outlook upgrades are not free, so many people have REALLY old versions of Microsoft Outlook as their primary email client.
Here are the current deadlines for upgrading to TLS 1.2. After these dates, TLS 1.0 and 1.1 connections will be refused (i.e. your orders will stop processing):
PayPal – June 2017
Authorize.net – Sept 18, 2017
PCI Compliance – June 2018
What you need to do
If you are on a hosted platform like Spark Pay or Shopify, you are in the clear as they have already enabled TLS 1.2. However, if you are on a self-hosted platform like Pinnacle Cart, Magento or X-Cart, there are a few things that you will need to do.
First, you’ll need to make sure your hosting company has TLS 1.2 enabled on your server. Most PCI compliant hosts will already have this in place, but there are some who will require you to move to a new server. This should be something they do for you for free, as PCI compliance is pretty much required these days. So fight them on it if they give you any grief.
Next, you will need to file a risk mitigation plan with your PCI scanning company, as your scans will always fail if you have TLS 1.0 or 1.1 enabled. Here is a template we put together for Trustwave, which they will accept and pass your scans until TLS 1.0 and 1.1 can be disabled on your server. Just add your company letterhead and add in your company name/scan vendor and you should be good to go. You’ll likely have to do this for EVERY scan, as Trustwave doesn’t seem to keep this on file for future scans. You may also get someone at Trustwave who won’t accept the mitigation plan. If that happens, ask to talk to their manager, as they likely have no idea what a risk mitigation plan even is.
If you have your own server and are confident your customers aren’t using old browsers, you can have your host disable TLS 1.0 and 1.1 immediately and get rid of the issue for good! Just make sure that your email client supports TLS 1.2 or you won’t be able to retrieve your email.
Hosted with us? Not to worry, we added support for TLS 1.2 over a year ago, so your Authorize.net account will continue to work as it always has! We will HAVE to disable TLS 1.0 and 1.1 in 2018, but we will be leaving it in place for now.
Questions? PCI Compliance issues? Completely lost? Contact us!