Migrating To TLSv1.2: What you need to know
By Greg SmithDec 20192 min read
At GoCardless we are always striving to maintain high-security standards to protect our partners, merchants and customers.
As part of this commitment, we will be making a change to the security requirements on our API. By January 2020, TLSv1.2 will be the minimum required TLS version for any connection to the GoCardless API.
Why are we changing this configuration?
Using secure transport for HTTP connections to our API and services is a baseline control to protect customer information. To minimise service disruption to our merchants and partners, we have maintained compatibility for older TLS versions whilst they provided a sufficient level of security to protect information in transit.
From January 2020, TLSv1.0 and TLSv1.1 will no longer be deemed to be an acceptable level to protect data in transit. By holding off upgrading until now, we have confidence that all major operating systems and services released in the last 5 years will support TLSv1.2. This change is also necessary for GoCardless to continue to improve and maintain our security compliance requirements under ISO27001.
As security protocols age and newer protocols replace them, older protocols are deprecated and are no longer actively developed. If these older security protocols are still in use it is often a proxy for the security of devices that connect to our API’s because modern operating systems and components support the current recommended protocol (TLSv1.2) out of the box or with the appropriate configuration.
If the devices connecting cannot negotiate TLSv1.2, it is likely that they do not meet the minimum security requirements we would expect from an operating system and configuration perspective.
From a technical perspective, we have mitigated the use of TLS1.0 and TLS1.1 until now by applying additional mitigations and configurations through our use of Google Cloud Platform and TLS configuration to protect against known attacks for TLS1.0 and TLS1.1.
What do customers need to do?
We have identified all customers that are using older versions of TLS to connect to our API, and have let them know of the change that is required. If you are connecting to our API using an older version of TLS then you will need to upgrade your software to use TLSv1.2 before January 2020.
Both the National Cyber Security Centre and Qualys provide advice on configuring server-side TLS and best practices. In addition, the Mozilla foundation provides a tool to assist in generating a configuration for servers that will work with the majority of modern browsers and services.
For our client libraries you will need to use the latest version of our client libraries and associated dependencies. We have configured the sandbox environment https://api-sandbox.gocardless.com to require TLSv1.2 so that you can validate your API integration works. To find out more check out our support article on what you need to do.
Why are HTTPS and TLS important?
When you connect to web services using HTTPS, this means that the messages that are sent back and forth between the two parties are wrapped so that when the messages are passed over the internet, they cannot be read by others. You can think of this as being your own dedicated tunnel for your connection that you can use. You can find out more on TLS on the Mozilla Security Pages.
It also has the benefit of validating the certificate when you connect to our API and website, so that you know you are connecting safely to our service. In a web browser, the padlock icon and the details when you click on it tell you if the certificate is valid and is checked by an authoritative source. For more general advice as a consumer on keeping yourself secure on the web checkout https://www.getsafeonline.org/.