6.4. Security Management

SOC2 type 2

Babelway has put in place an Information Security Management System (ISMS) compliant with ISO27001 guidelines. Babelway’s policy regarding security can be consulted online at http://www.babelway.com/security-policy. The system ensures processes are in place to meet the policy’s objectives.

Babelway complies with the SOC2 Type 2 norm since 2013 and is yearly audited by KPMG (and formerly by Deloitte).

TLS 1.0 decommissioning plan

Babelway is taking the protection of customers' data very seriously. In order to maintain these highest security standards and promote security practices, Babelway occasionally needs to make security improvements and deprecate older encryption protocols. Here is our plan to remove support for TLS 1.0 and TLS 1.1 and provide TLS 1.2 as the default encryption protocol.

TLS (Transport Layer Security) is a cryptographic protocol used to establish a secure communication channel between two systems. It is used in Babelway to access the SelfService application as well as for the gateway using HTTP as their underlying protocols. see https://en.wikipedia.org/wiki/Transport_Layer_Security.

The plan is aligned with the TLS 1.0 sunset requirement for PCI-DSS compliance:

  • Phase 1: As of July 15, 2017, Babelway will support TLS 1.2 in addition to TLS 1.1 and TLS 1.0 on the SelfService application and Babelway API on www.babelway.net as well as for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2.

  • Phase 2: As of January 1, 2018, Babelway will no longer support TLS 1.0 over HTTPS on the SelfService application and Babelway API on www.babelway.net. Any older browser or API clients that do not support TLS 1.1 or TLS 1.2 will no longer work. The minimum version of browsers are Google Chrome 22 (June 2012), Firefox 23 (August 2013), Internet Explorer 11 (June 2013).

    In order to test your implementation, you are welcome to use external tools such as https://www.howsmyssl.com/

    .
  • Phase 3: As of July 1, 2018, Babelway will no longer support TLS 1.0 and TLS 1.1 for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2. Any client applications not supporting TLS 1.2 will no longer work.

    Below, please find the list of supported cipher suites:

    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256

    Babelway will also update the restrictions on algorithms applied to TLS handshaking and certification paths processing.

    The following algorithms will be disabled for TLS handshaking:

    • SSLv3
    • TLSv1
    • TLSv1.1
    • RC4
    • MD5withRSA
    • DH with key size < 1024
    • EC with key size < 224
    • DES40 CBC
    • RC4 40

    The following algorithms must not be used during certification path processing.

    • MD2
    • MD5
    • RSA with key size < 1024
    • DSA with key size < 1024
    • EC with key size < 224

    It means that no signature algorithm involving MD2, MD5 will be used to verify a certificate. And the use of certificates with RSA/DSA key size less than 1024 bits in length or with EC key size less than 224 is restricted.

If you have any questions, please don’t hesitate to contact support@babelway.net