Early TLS to be disabled across all WebHotelier products and services on June 30th, 2018

TL;DR HTTPS in your browser's address bar means communication between websites and your computer is encrypted. There are many cryptographic protocols in use, some of them are no longer considered secure enough to pass PCI guidelines. We are disabling some of them on June 30th, 2018. That means that an extremely small percentage of browser and operating system combinations will no longer work with WebHotelier.

WebHotelier has retired support for SSLv3 since early 2016.

For more than 20 years Secure Sockets Layer (SSL) has been one of the most widely-used encryption protocols. It remains in widespread use today despite existence of a number of security vulnerabilities and being deprecated by NIST in 2014.

In April 2015, after extensive marketplace feedback, PCI Security Standards Council (SSC) removed SSL as an example of strong cryptography from the PCI Data Security Standard (PCI DSS) v3.1, stating that is can no longer be used as a security control after June 30, 2016.

Dropping SSLv3, effectively killed booking engine support for early versions of Internet Explorer (IE6 and IE7 under Windows XP).

PCI SSC has also set a June 30th, 2018 deadline for disabling early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher – in order to meet the PCI DSS for safeguarding payment data.

SSL no longer secure

This post serves as an announcement that WebHotelier will comply with PCI DSS requirements and drop all support for early TLS (v1.0) across all our products and services on June 30th, 2018.

These include:

  • 4000+ booking engines
  • WebHotelier's extranet
  • WebHotelier's API endpoints
  • WebHotelier's widget endpoints

We have also been working with our partners and 3rd party vendors to actively migrate all connections and integrations to TLS v1.2 and higher. Only a few connectivities with older protocols remain which we expect to be migrated by the end of this year.

What does this mean for browser support?

Dropping TLS 1.0 effectively means dropping support for all Internet Explorer versions except IE11, dropping support for many mobile browsers for early Android and dropping support for Safari before OS X 10.9

A detailed list of affected browsers/OSes can be found here.

This massive deprecation of browser support might sound scary, but our analytics data show that only a tiny percentage of visitors still use those browsers. We expect that by next summer obsolete browser usage will have dropped even more.

In addition, major global websites such as social networks, email providers, CDNs, and search engines, have or will follow along making the transition to a more secure web happen faster.

What is SSL/early TLS?

Transport Layer Security (TLS) is a cryptographic protocol used to establish a secure communications channel between two systems. It is used to authenticate one or both systems, and protect the confidentiality and integrity of information that passes between systems. It was originally developed as Secure Sockets Layer (SSL) by Netscape in the early 1990s. Standardized by the Internet Engineering Taskforce (IETF), TLS has undergone several revisions to improve security to block known attacks and add support for new cryptographic algorithms, with major revisions to SSL 3.0 in 1996, TLS 1.0 in 1990, TLS 1.1 in 2006, and TLS 1.2 in 2008.

What is the risk of using SSL/early TLS?

There are many serious vulnerabilities in SSL and early TLS that left unaddressed put organizations at risk of being breached. The widespread POODLE and BEAST exploits are just a couple examples of how attackers have taken advantage of weaknesses in SSL and early TLS to compromise organizations.

According to NIST, there are no fixes or patches that can adequately repair SSL or early TLS. Therefore, it is critically important that organizations upgrade to a secure alternative as soon as possible, and disable any fallback to both SSL and early TLS.

Who is most susceptible to SSL/early TLS vulnerabilities?

Online and e-commerce environments using SSL and early TLS are most susceptible to the SSL exploits, but the 30 June 2018 PCI DSS migration date applies to all environments - except for payment terminals (POIs) (and the SSL/TLS termination points to which they connect) that can be verified as not being susceptible to any known exploits for SSL and early TLS.

Where can I read more?

A detailed bulletin that explains the associated risks that led to the decision of dropping early TLS has been published by PCI SCC can be found on the link below:

Migrating from SSL and Early TLS