This article contains all of the information currently available on Work Market’s plan to disable the TLS 1.0 encryption protocol. This article will be updated as new information becomes available. Please check back often for guidance on preparing for TLS 1.0 Disablement.
What is TLS and SSL?
Transport Layer Security (TLS) is a cryptographic protocol designed to provide secure network communication. The primary goal of TLS is to maintain privacy and data integrity between two communicating computer or mobile applications. Secure Sockets Layer (SSL), a predecessor to TLS, is now considered flawed and insecure (See SSL 3.0 related articles in References section below)
How is TLS used in Work Market?
To access the Work Market site, all companies and workers use a TLS-enabled browser or mobile device. Any partners or integrators who rely on Work Market’s API services also rely on TLS.
What is changing?
Starting in September 2016, Work Market will disable the TLS 1.0 encryption protocol. Once disabled, TLS 1.0 can no longer be used to access the Work Market website or services.
Why is it changing?
In recent years, security researchers found a number of loopholes in the way encryption is handled, and some of the older browsers are known to be exposed to these security issues.
Work Market web and API connections, along with mobile applications and notification services, use TLS as a key component of their security.
At Work Market, trust is our #1 value, and we take the protection of our customers' data very seriously. The disablement of TLS 1.0 is being undertaken so we can maintain the highest security standards and promote the safety of your data as well as align with industry-wide best practices.
In addition, disabling TLS 1.0 is now a hard requirement for Payment Credit Industry Security Standard 3.1, an industry standard for securing systems used for credit card payments. Although the PCI Security Council extended the deadline of this implementation until June 2018, Work Market believes it is important to protect and guard customer information as soon as possible.
What is the impact?
The action required by your organization will depend on which channels are used to access Work Market, as well as which Work Market services are in use by your organization.
What are the channels that access Work Market where action may be needed?
There are three different channels that require encryption to access Work Market:
- Internet browser
- API (outbound to Work Market) integrations
- Call-out (inbound from Work Market) integrations
An overview of each and our corresponding recommendation for TLS 1.2 and higher compatibility is as follows:
You and your users will experience issues accessing Work Market via your browser if non-supported browsers are in use or if you have disabled the supported encryption protocols in the browser. Users and Companies are not affected by this change if one of the followings browsers are in use:
- Internet Explorer 11
- Google Chrome 40 or higher
- Firefox 34 or higher
- Safari 9 or higher
Workers and businesses need to upgrade or make custom changes to their browsers if one of the followings browsers are in use.
- Internet Explorer 8, 9, or 10 (See HOW TO)
For workers and businesses using the following systems, Work Market will no longer be able to support their systems in accordance with Microsoft’s Windows lifecycle fact sheet and Microsoft Support Lifecycle.
- Windows XP, Vista, Server 2008, Server 2003, and earlier.
API and Call-out Integrations
- API Integrations are interfaces or applications, including mobile apps and desktop clients, that are separate from Work Market, but use Work Market data.
- Call-outs are integrations where Work Market refers to an outside source to either verify login credentials, push data, or pull data.
If you have an application that integrates with Work Market via APIs or Call-out, please have your internal IT department review the TLS for API integrations article. If you do not enable TLS 1.2 after we make this change, your integrations will experience disruption.
- This POODLE bites: exploiting the SSL 3.0 fallback (Google Security Blog)
- The POODLE Attack and the End of SSL 3.0 (Mozilla Security Blog)
- Turn Off SSL 3.0 and TLS 1.0 in Your Browser (ssl.com)
- TLS/SSL support history of web browsers (wikipedia.org)
- TLS Web Browsers (wikipedia.org)
- Attacks against TLS/SSL (wikipedia.org)
- Date Change for Migrating from SSL and Early TLS (pcisecuritystandards.org)