Archive:2021 Web Service TLS Advisory

From Melissa Data Wiki
Revision as of 00:18, 2 December 2021 by Admin (talk | contribs)
Jump to navigation Jump to search

← Cloud Services

Introduction

*UPDATE to Final Deadline
We have been in communication with a number of companies using our services since our announcement that we will deprecating TLS 1.0 and 1.1. Most users of our web services have recognized that this deprecation is necessary and prudent, as evident by the same actions taken by the rest of the technology community. However, there have been some situations where due to technology or organization issues, they will be unable to complete the transition by the January cut-off. In an effort to minimize disruption for our clients, Melissa has decided to extend the transition timeline from January 25, 2021 to the week of April 26th, 2021. We implore everyone to take notice and transition to secure TLS 1.2 right away. Do not procrastinate as you may run into unforeseen issues at the last minute.
-Original Notice Continues...
Melissa is deprecating Transport Layer Security (TLS) 1.0 and 1.1 for our web service as they are no longer considered secure. Starting the week of January 25th, 2021 April 26th, 2021, we will no longer support web service connections using TLS 1.0 or TLS 1.1 and will require TLS 1.2 or higher.
Why are you deprecating TLS 1.0 & 1.1?
TLS 1.0 and 1.1 are no longer considered to be secure. They do not support modern cryptographic algorithms and is proven to be vulnerable to exploits. Most major technology companies have either already deprecated TLS 1.0 and 1.1 or have committed to do so in 2020. These companies include Apple, Microsoft, Google, Mozilla, and Cisco. With this deprecation, clients will need to use TLS 1.2 which was introduced over a decade ago in 2008.
Security of our client data is a top priority here at Melissa. To that end, we undergo consistent security reviews and audits of our organization and services. In order to stay current with industry standards for privacy and security in our audits, we must close vulnerabilities like TLS 1.0 and 1.1.
What about TLS 1.3?
Adding support for TLS 1.3 is a top priority that we are working on as we speak. Rest assured, if your application supports TLS 1.3, it will also support TLS 1.2. When TLS 1.3 is available, your application will likely automatically migrate to the more secure protocol.
What about HTTP?
For some of these services, we have also made unencrypted HTTP version available in order to allow older technologies to access them. However, we will be requiring everyone use secure HTTPS in order to ensure security of your data.
Please contact Melissa Tech Support for any questions.


What is the Deprecation Timeline?

APRIL 26, 2021
We will be updating our services to disable TLS 1.0 and 1.1 the week of April 26th, 2021. Please make sure your application is compatible with TLS 1.2 before this date.
What will happen if I cannot connect using TLS 1.2 by the deadline?
If your application is unable to connect to our service using TLS 1.2 when we disable TLS 1.0 and 1.1, the connection will be rejected and you will not be able to connect to or use our web service.


What Melissa Services are Affected?


How Can I Test if My Application Will Work With TLS 1.2?

We have created a TLS 1.2 only version for all of the services that we host. To access this version, simply add the text "tlstest" to the first part of the domain preceding ".melissadata.net". For example:

Personator
Regular URL for XML/SON
TLS 1.2 Test URL
Global Address
Regular URL for SOAP
TLS 1.2 Test URL


Note: These are two examples. The "TLSTest" version exists for all of our services.


Additional Information on Technologies & TLS 1.2

.NET
TLS 1.2 is supported in .NET framework 4.5 or higher. It can be enabled via registry or in code. For more information, please visit the Microsoft page: https://docs.microsoft.com/en-us/dotnet/framework/network-programming/tls
Java
TLS 1.2 is supported in JDK 7 (but not default) and default in JDK 8. For more information, please visit: https://blogs.oracle.com/java-platform-group/jdk-8-will-use-tls-12-as-default
Python
Python support has been a bit complicated as they had different versions of OpenSSL. Python has supported TLS 1.2 since version 3.2 and 2.7.9. Please see their official documentation here for more information: https://docs.python.org/3/library/ssl.html
Ruby
TLS 1.2 is supported in Ruby 2.0 and higher.
SSIS
Currently the Melissa components do not connect using TLS 1.2 out of the box. Please see this page for how to configure your machine as a work-around: FAQ:SSIS:Enforce TLS 1.2
We are currently working on natively integrating TLS 1.2 with DQC Components for SSIS and future releases with support for TLS 1.2 will be announced on SSIS:Data Quality Components