The Constant Contact API, managed by TIBCO’s Mashery, will no longer support TLS v1.0 or v1.1 when establishing secure connections as of September 30th, 2018. We recommend updating your integration to TLS version v1.2 to comply with security practices outlined by the Payment Card Industry (PCI) Security Standard Council.
What is TLS?
TLS stands for “Transport Layer Security” and is the security protocol that allows computers to communicate over the internet securely, without the transmissions being vulnerable to anyone they aren’t intended for. For example,, you wouldn’t be able to use your credit card on eCommerce sites or log into your bank account online without TLS.
How is TLS used?
TLS is used to authenticate and encrypt a connection when a client attempts to connect to Constant Contact API systems along with another server.
Why is Constant Contact making this change?
TIBCO is ending support of TLS v1.0 and v1.1 on September 30th, 2018. TLS v1.2 is strongly encouraged in order to meet the PCI Data Security Standard (PCI DSS).
Why Is TLS 1.2 important?
Due to increased computing power and discovered weaknesses found in TLS v1.0 and v1.1, many websites and internet services now require the use of TLS v1.2. The latest PCI compliance standards require that any site accepting credit card payments use TLS v1.2 after June 30th, 2018. Moving to TLS v1.2 will improve the security of the data sent between you and Constant Contact.
Who is impacted?
Any client system that currently uses TLS v1.0 or v1.1 to secure HTTPS connections with our API servers will be impacted. All clients requesting connections with our API system will need to use the TLS v1.2 protocol. Clients using TLS v1.0 will not be able to connect to our API servers.
What is the impact if I don’t upgrade to TLS v1.2?
If you do not take action to upgrade to TLS v1.2 beyond the already extended deadline, it will cause API traffic loss.
Not upgrading and continuing to use older versions of the protocols will make you vulnerable to downgrade attacks. Hackers can leverage known exploits to force connections to your server and encrypted connections (between site visitors and your web server, machine to machine, etc.) will be open to man-in-the-middle and other types of attacks.
There are no fixes or patches that can adequately repair this vulnerability thus it is critically important that you upgrade as soon as possible.
What you will see/experience:
Failed connection attempts when trying to connect to our API system. When troubleshooting the connection, you will see this error:
504 error message - TLS v1.0/v1.1 handshake failure while connecting
How can I tell if my site is vulnerable?
Check for TLS v1.2 support:
The most recent versions of Mashery supported browsers include TLS v1.2 support.
Earlier versions of browsers and browsers not officially supported by Mashery might also support TLS v1.2. Visit the SSL Labs SSL Test to check the highest version of TLS supported by your browser. The SSL version in use will display under Protocol Version.
You should also ensure that your computer or mobile operating system is as up to date as possible, especially if you use an older version of Windows.
What do I need to do to ensure that I am compliant?
There are several variables and a number of systems and software platforms involved. Every business has a different configuration, and there is no easy set of step-by-step instructions that will work in all cases.
At a high level, you will need to ensure that the following platforms and connections are compatible with TLS v1.2:
- Web Server
- Internet Information Services (IIS)
- .NET Framework
- eCommerce Application
- Browsers you support for your users
- Web services involved in your process
Ultimately, updating to the latest security protocols protects you, your users, and your reputation. *https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls, Published 2017-06-30
Leave a Comment