Securing communications and our plan for SSL and early TLS communication protocols.
Why is this happening?
In April 2015, the PCI Security Standards Council released the v3.1 update to the PCI DSS standard. This expressly excludes Secure Sockets Layer (SSL) 3.0 and below, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography. This means that when using a connection secured by these protocols it is no longer guaranteed that the communication is completely secure.
This conclusion has been made through the recent discoveries of serious and systemic security issues with earlier versions of TLS and its predecessor, SSL, including POODLE, Heartbleed, and LOGJAM. These current known vulnerabilities have been mitigated, patched or removed from the GoFundraise servers, and there is no known risks in using the protocols in use by GoFundraise today. For this reason the PCI council has given a date which indicates the latest point in time where these protocols can be used, June 30, 2018. After which only TLS 1.1 and TLS 1.2 may be used to secure communications.
Why don’t we just remove these protocols now?
Not all web browsers support TLS 1.1 and TLS 1.2. By removing all other protocols it would be impossible for these older browsers to connect to the GoFundraise website.
TLS 1.1 was defined in April 2006 and TLS 1.2 was defined in August 2008. All browsers and services released before these dates will not provide any support for these newer protocols. A non-exhaustive list of these browsers is listed below.
- Firefox before version 27
- Chrome before version 22
- Internet Explorer before version 11
- Opera before version 14
- Safari before version 7
- Android before version 4.4
You should always keep your web browser up to date in order to maintain the highest levels of security and performance when surfing the internet and in particular when using secure communications.
What is happening between now and when these protocols are depreciated?
GoFundraise supports TLS Fallback Signaling Cipher Suite Value (SCSV) for Preventing Protocol Downgrade Attacks so that any users who have devices capable of TLS1.1 or TLS1.2 will not fallback to communicate over TLS1.0, therefore if you have the latest browsers you can rest assured you are using the most secure technologies available.
Soon GoFundraise will begin presenting users who visit our website with a browser that does not support TLS 1.1 or higher with a notification that their browsers will be prevented from accessing our website when our migration is completed. The objective of this is to help lower the user base who use TLS 1.0 on our website in order to perform the migration at the earliest stage possible as the number of users requiring the protocol reduce.
Existing vulnerability monitoring and industry research procedures remain in place in the event that new vulnerabilities are found at which point GoFundraise will continue its swift mitigation and patching program which may require these protocols to be depreciated earlier.