Continue reading " />

TLS 1.0 End of Life

Posted by on 6/29/16 • Categorized as PCI Compliance,Security Notices

PadlockThe TLS 1.0 encryption protocol is being disabled across our Web Hosting services as of June 30th, 2016, requiring the more modern protocols TLS 1.1 and TLS 1.2 to be used to make a secure connection to your eCommerce website.

TLS ensures that connections made across the internet are secure and that data can only be read by authorized users. TLS is commonly used when entering private data like logins or credit card information. The TLS 1.0 encryption protocol is currently over 14 years old and is considered to be no longer secure. The outdated SSL 3.0 encryption protocol was similarly disabled on our Hosting services back on July 31st, 2015 for the same reason.

The disabling of TLS 1.0 follows the decision by the PCI security standards council to declare this encryption protocol as insecure as a result of numerous potential vulnerabilities that have been identified.

Data security is a top priority for Scarab Media and Project A Inc. As part of our ongoing commitment to ensuring security, and in order to maintain PCI-DSS v3.1 compliance required for eCommerce, TLS 1.0 is being disabled and either TLS 1.1 or TLS 1.2 will be required when accessing secured resources over HTTPS.

Operating systems for which a secure connection will no longer supported:

  • Windows XP
  • Windows Vista
  • Windows Server 2003
  • Windows Server 2008
  • Apple MacOS X (10.8 “Mountain Lion” or earlier)
  • Apple iOS 4 or earlier
  • Android 4.4.3 or earlier

Browser compatibility for TLS 1.1/1.2 can be found below:

  • Microsoft Edge
  • Microsoft Internet Explorer (IE) 11 on all platforms
  • Microsoft Internet Explorer (IE) 8-10 on Windows 7 or higher
  • Mozilla Firefox 27 or higher (regardless of Operating System)
  • Mozilla Firefox 23 – 26 (Compatible, but not by default.
    Use about:config to enable TLS 1.1 or TLS 1.2 by updating the security.tls.version.max config value to 2 for TLS 1.1 or 3 for TLS 1.2.)
  • Google Chrome 38 or higher (regardless of Operating System)
  • Google Chrome 22 – 37 (Compatible when running on Windows XP SP3, Vista, or higher, OS X 10.6 “Snow Leopard” or higher, or Android 2.3 “Gingerbread” or higher.)
  • Android 5.0 “Lollipop” and higher
  • Android 4.4.4 may or may not be compatible depending on model. Some devices may support TLS 1.1 but some may not.
  • Apple Safari (Desktop) 7 and higher when running on OS X 10.9 “Mavericks” and higher.
  • Apple Safari (Mobile) 5 and higher when running on iOS 5 and higher.

If your website does not require HTTP Strict-Transport-Security (HSTS) over HTTPS or Perfect Forward Secrecy (PFS) then visitors with older Operating Systems and Browsers will still be able to visit your website but they just will not be able to proceed to Checkout or use a secure session over HTTPS.

To test if your Browser and Operating System is compatible, you can use the following resources:

Comments are closed.