• Overview
    Frameworks
    • Drupal
    • WordPress
    • Symfony
    • Magento
    • See all frameworks
    Features
    • Observability
    • Auto-scaling
    Solutions
    • Marketing Teams
    • Retail
    • Higher Education
  • Pricing
  • Featured articles
    • Switching to Platform.sh can help IT/DevOps organizations drive 219% ROI
    • Organizations, the ultimate way to manage your users and projects
  • Support
  • Docs
  • Contact
  • Login
  • Free Trial
Blog
Tightening TLS by Platform.sh

Tightening TLS

February 07, 2019
Joey Stanford
Joey Stanford
Security, Compliance and Data Protection Officer

As part of our ongoing efforts to protect our clients' and partners' privacy and digital security, we’re planning to drop support for older, insecure cryptographic protocols. As of 1 April 2019, we’re disabling support for Transport Layer Security (TLS) versions older than 1.2 and adding support for TLS 1.3.

What’s changing?

TLS is what provides the “S” in HTTPS. It has replaced the older SSL (Secure Socket Layer) encryption standard even though it's common for people to still refer to them both as "SSL."

Today, HTTPS connections on Platform.sh can use TLS 1.0, 1.1, or 1.2, and it's up to the browser to determine which is the most recent version it can support. That said, currently every browser supports TLS 1.2, so, in practice, almost all connections already use 1.2.

Users can also require connections to Platform.sh to use only newer TLS versions, which is mandated by some security auditing requirements.

As of April, however, we’ll be dropping all encrypted connections using anything older than TLS 1.2. Users who have a specific minimum TLS version specified in their configuration file will still be unaffected as that setting will, effectively, become redundant.

Why the change?

The Payment Card Industry’s Data Security Standard (PCI DSS) requires that sites avoid older versions of TLS with known security issues. There have been numerous reports of severe vulnerabilities in early TLS versions that could put organizations and users at risk; case in point, the widely reported POODLE and BEAST attacks.

These vulnerabilities are of particular importance to e-commerce websites, where credit card payment information is transmitted, and to sites where personal information is being collected or sent over the web.

Given how prevalent TLS 1.2 support is in major browsers, we determined it was safest for our users to require TLS 1.2 across the entire network. We’re also adding support for the newer TLS 1.3, which, although not as widely deployed, offers even tighter security.

How will this change affect you?

TLS 1.2 was released in 2006, and all major browsers have supported it for many years. For the vast majority of users nothing will change at all. Customers who have a minimum TLS version in their configuration file are free to remove it after 1 April. While we’ll support setting a TLS 1.3 minimum version at that time, it's not recommended without extensive testing as TLS 1.3 was only approved in August of 2018, and client support may lag behind for some time.

It's possible that some custom client applications may be using an older TLS library that doesn't have 1.2 support. Those applications will need to be updated to use a current security library. To easily test if that's the case, set a minimum TLS version of 1.2 on a branch environment, and point the custom client at that branch. If it works normally, everything is fine. If it fails to connect, you’ll need to update your client application.

Get the latest Platform.sh news and resources
Subscribe

Related Content

The ultimate generation of our Dedicated offering is here!

The ultimate generation of our Dedicated offering is here!

Company

AboutSecurity and complianceTrust CenterBoard and investorsCareersPressContact us
System StatusPrivacyTerms of ServiceImpressumWCAG ComplianceManage your cookie preferencesReport a security issue
© 2022 Platform.sh. All rights reserved.
Supported by Horizon 2020's SME Instrument - European Commission 🇪🇺