TLS Security Changes

TLS Security Changes

On July 1st, 2018, Babelway no longer support TLSv1 or TLS v1.1 security protocols. This is in compliance with our PCI DSS and RFC7525 requirements.

 

What is TLS?

Transport Layer Security (TLS) is a security protocol for web browsers and other applications that exchange data over a network.

 

How does this effect you?

There are various ways TLS1.0 and 1.1 can be used in your interaction with Babelway. Accessing the self-service platform can be dependent on the browser you are using. The list of browsers supporting TLS1.2 (which will be usable after the 1.0 and 1.1 decommissioning) are:

  • Microsoft Windows 10 using Microsoft Edge, Internet Explorer 11, Firefox, or Chrome
  • Microsoft Windows 8 using Internet Explorer 11 or later, Firefox, or Chrome
  • Mac OS X v10.9 or later using Safari 7 or later, Firefox, or Chrome

Below is a detailed planned followed by Babelway to execute the TLS1.0 and TLS1.1 decommissioning plan. For more information, please read below.

 

If you have any questions, please don’t hesitate to ask us at support@babelway.com

 

 

TLS 1.0 decommissioning plan

Babelway is taking the protection of customers’ data very seriously. In order to maintain these highest security standards and promote security practices, Babelway occasionally needs to make security improvements and deprecate older encryption protocols. Here is our plan to remove support for TLS 1.0 and TLS 1.1 and provide TLS 1.2 as the default encryption protocol.

TLS (Transport Layer Security) is a cryptographic protocol used to establish a secure communication channel between two systems. It is used in Babelway to access the SelfService application as well as for the gateway using HTTP as their underlying protocols. see https://en.wikipedia.org/wiki/Transport_Layer_Security.

The plan is aligned with the TLS 1.0 sunset requirement for PCI-DSS compliance:

  • Phase 1: As of July 15, 2017, Babelway will support TLS 1.2 in addition to TLS 1.1 and TLS 1.0 on the SelfService application and Babelway API on www.babelway.net as well as for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2.
  • Phase 2: As of January 1, 2018, Babelway will no longer support TLS 1.0 over HTTPS on the SelfService application and Babelway API on www.babelway.net. Any older browser or API clients that do not support TLS 1.1 or TLS 1.2 will no longer work. The minimum version of browsers are Google Chrome 22 (June 2012), Firefox 23 (August 2013), Internet Explorer 11 (June 2013).In order to test your implementation, you are welcome to use external tools such as https://www.howsmyssl.com/.
  • Phase 3: As of July 1, 2018, Babelway will no longer support TLS 1.0 and TLS 1.1 for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2. Any client applications not supporting TLS 1.2 will no longer work.Below, please find the list of supported cipher suites:
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
    • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
    • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
    • TLS_RSA_WITH_AES_128_CBC_SHA
    • TLS_RSA_WITH_AES_128_CBC_SHA256
    • TLS_RSA_WITH_AES_256_CBC_SHA256

    Babelway will also update the restrictions on algorithms applied to TLS handshaking and certification paths processing.

    The following algorithms will be disabled for TLS handshaking:

    • SSLv3
    • TLSv1
    • TLSv1.1
    • RC4
    • MD5withRSA
    • DH with key size < 1024
    • EC with key size < 224
    • DES40 CBC
    • RC4 40

    The following algorithms must not be used during certification path processing.

    • MD2
    • MD5
    • RSA with key size < 1024
    • DSA with key size < 1024
    • EC with key size < 224

    It means that no signature algorithm involving MD2, MD5 will be used to verify a certificate. And the use of certificates with RSA/DSA key size less than 1024 bits in length or with EC key size less than 224 is restricted.

If you have any questions, please don’t hesitate to contact support@babelway.net