Tightening TLS

As part of our ongoing efforts to protect our clients' and partners' privacy and digital security, we’re planning to drop support for older, insecure cryptographic protocols. As of 1 April 2019, we’re disabling support for Transport Layer Security (TLS) versions older than 1.2 and adding support for TLS 1.3.

What’s changing?

TLS is what provides the “S” in HTTPS. It has replaced the older SSL (Secure Socket Layer) encryption standard even though it's common for people to still refer to them both as "SSL."

Today, HTTPS connections on Platform.sh can use TLS 1.0, 1.1, or 1.2, and it's up to the browser to determine which is the most recent version it can support. That said, currently every browser supports TLS 1.2, so, in practice, almost all connections already use 1.2.

Users can also require connections to Platform.sh to use only newer TLS versions, which is mandated by some security auditing requirements.

As of April, however, we’ll be dropping all encrypted connections using anything older than TLS 1.2. Users who have a specific minimum TLS version specified in their configuration file will still be unaffected as that setting will, effectively, become redundant.

Why the change?

The Payment Card Industry’s Data Security Standard (PCI DSS) requires that sites avoid older versions of TLS with known security issues. There have been numerous reports of severe vulnerabilities in early TLS versions that could put organizations and users at risk; case in point, the widely reported POODLE and BEAST attacks.

These vulnerabilities are of particular importance to e-commerce websites, where credit card payment information is transmitted, and to sites where personal information is being collected or sent over the web.

Given how prevalent TLS 1.2 support is in major browsers, we determined it was safest for our users to require TLS 1.2 across the entire network. We’re also adding support for the newer TLS 1.3, which, although not as widely deployed, offers even tighter security.

How will this change affect you?

TLS 1.2 was released in 2006, and all major browsers have supported it for many years. For the vast majority of users nothing will change at all. Customers who have a minimum TLS version in their configuration file are free to remove it after 1 April. While we’ll support setting a TLS 1.3 minimum version at that time, it's not recommended without extensive testing as TLS 1.3 was only approved in August of 2018, and client support may lag behind for some time.

It's possible that some custom client applications may be using an older TLS library that doesn't have 1.2 support. Those applications will need to be updated to use a current security library. To easily test if that's the case, set a minimum TLS version of 1.2 on a branch environment, and point the custom client at that branch. If it works normally, everything is fine. If it fails to connect, you’ll need to update your client application.