Several of our customers use Magento for e-commerce, and not long ago they received an email from Authorize.net saying that TLS disablement will be happening in September of 2017.

Dear Authorize.Net Merchant: As you may be aware, new PCI DSS requirements state that all payment systems must disable early TLS by 2018. Transport Layer Security (TLS), is a technology used to encrypt sensitive information sent via the Internet. TLS is the replacement for Secure Sockets Layer (SSL).

In preparation for this requirement, Authorize.Net plans to disable TLS 1.0 and TLS 1.1…

What is TLS and how is it different from SSL?

TLS stands for Transport Layer Security, and it’s the successor to SSL. If you’re at all familiar with a security protocol, it’s probably SSL, or Secure Sockets Layer. SSL is the standard security technology for establishing an encrypted link between a web server and a browser. You’ll also find such cryptographic protocols used for email, internet faxes, instant messaging, and voice-over-IP (VoIP).

When a user connects to a website that uses TLS via a web browser, he receives a security certificate from the server where the website is hosted. This security certificate includes details about the server, an expiration date for the certificate, and a “public key” that is available to all users who connect to that server.

The public key encrypts information entered on the website (like your name, address, credit card number) in such a way that it can only be decrypted with a private key that is stored in a secure place on the server. So the website uses the server’s public key to send a secret value to the server, and the server then decodes that secret value using its private key. The secret value is then used by the website and the server to encrypt the rest of the transaction. It might sound confusing, but all of this is being done in the background when you use a website with https:// in the URL.

When you see that https://, you know that all data passed between your web browser and the server where the site is hosted is private and secure. You should always look for the https when you’re making a purchase online. We wrote an article about why we recommend that all our customers websites use an SSL certificate, and it’s worth taking a look if you have your own website of any kind.

Why is Authorize.net discontinuing use of TLS?

So wait—if TLS is the successor to SSL, why is Authorize.net discontinuing use of it? Trick question. TLS is a more secure and efficient protocol than SSL, but SSL was already so prevalent in web terminology that it’s become the common term. As of 2014, SSL is no longer supported, and most modern browsers and solutions use TLS now.

If you’ll notice, the Magento email warns that it plans to disable TLS 1.0 and 1.1. TLS 1.0 was first defined in January of 1999, and version 1.1 was released in 2006. As you can imagine, those two versions are more than overdue for retirement. Version 1.2 has long been widely adopted, and TLS 1.3 is due to be finalized any moment now. Some companies like Cloudflare adopted TLS 1.3 protocol in late 2016.

How do you know if you use the wrong TLS?

Fortunately, we have a very easy answer for you!

Simply go to https://www.ssllabs.com/ssltest/ and enter your website’s URL. After a minute or so, you’ll receive a grade ranging from A to F. It will also show you what versions of TLS you’re using. Hopefully you’ll pass with flying colors!

If your website doesn’t pass the test, you’ll most likely need help from a developer. You may be able to have your host issue an upgraded SSL certificate, or you may need to get into the code a bit. If you do need help, feel free to contact us any time.

Published On: May 26th, 2017 / Categories: Blog / Tags: , , /

Subscribe to Receive the Latest News from I.T. Roadmap