To improve customer privacy and data security, we recommend that you upgrade to Transport Layer Security (TLS) 1.2 for your outbound connections. This change is in recognition of website security best practices, and you likely have already implemented these capabilities. If you have not, we strongly encourage you to make these changes before September 1st as part of your preparations for holiday.
Q: Why are we deprecating TLS 1.0 and 1.1?
A: TLS 1.0 and 1.1 are both dated versions of the TLS protocol. TLS 1.0 was published in 1999 as RFC 2246 while TLS 1.1 was published in 2006 as RFC 4346. Improvements have been made to both since the release of the original versions. Upgrading to the current standard (TLS 1.2) is now considered the safest and most reliable method of delivering encrypted content over the Internet.
Q: What happens if I don’t upgrade?
A: If you choose to not upgrade from TLS 1.0 and 1.1, you will be left vulnerable to the following attacks:
- POODLE: This is a man-in-the-middle style attack that takes advantage of Internet and security software primarily targeting SSL 3.0 to downgrade the connection to a protocol. However, TLS 1.0 and 1.1 were also vulnerable to POODLE as they accept incorrect padding structure after the decryption.
- BEAST: This is another man-in-the-middle style attack that takes advantage of a vulnerability in the Cipher Block Chaining mode in TLS 1.0 and use it to decrypt data exchanged between two parties.