Upcoming Change to Supported TLS Ciphers
Weak ciphers, which can cause security concerns (though represent a very small subset of our clients' web traffic), have been identified and will no longer be supported by Zesty.io. What this means for your business is that:
We are adding extra security
You should update your browsers and operating system
The change is transparent to your website visitors
You will not need to make any changes or take any action beyond potentially updating your web browser. This change will not affect your business operations.
Ciphers to be removed by Zesty
On Monday 26th September at 12 PM PDT the Zesty.io CDN will be changed to remove support for the following legacy weak ciphers.
AES128-GCM-SHA256 = TLS_RSA_WITH_AES_128_GCM_SHA256
AES128-SHA = TLS_RSA_WITH_AES_128_CBC_SHA
AES256-SHA = TLS_RSA_WITH_AES_256_CBC_SHA
ECDHE-RSA-AES128-SHA256 = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
ECDHE-RSA-AES256-SHA384 = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
ECDHE-RSA-AES128-SHA = TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
ECDHE-RSA-AES256-SHA = TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
What does this mean for you?
Not much. It will be a transparent process that does not require any work on your part, but it does mean that clients (e.g. Web Browsers) that still use these weak ciphers will not be able to securely connect to your domains.
We have been monitoring traffic over the past 30 days to assess the usage of the weak ciphers set for removal. Domains with requests using weak ciphers represented a very small percentage of their overall traffic. Most range between 0.03% - 0.003% of traffic using weak ciphers.
The important aspect to think through is if you have automated systems that are using older browser versions. Do you have visual regression testing with Internet Explorer? Wrote a script years ago using an older version of OpenSSL? These would be affected by this change and would need to be updated to newer versions.
When is this occurring?
Monday 26th September at 12 PM PDT
What is the issue?
TLS is an abbreviation for Transport Layer Security. It facilitates secure communication on top of HTTP. TLS ensures that Internet traffic is private between you and a website.
The TLS technology contains a list of encryption ciphers. Your browser negotiates which cipher suite to use with the website. Your browser will negotiate the most secure cipher available to you and the website.
Certain ciphers are no longer acceptable for modern use. Security researchers identified methods to decrypt TLS sessions with certain ciphers. This does not mean the Internet is completely done for! There are modern, secure ciphers available for use today, which you’re probably using to make video calls in your browser right now.
TLS Downgrade Attack
Certain malicious parties may “downgrade” your session to a weaker cipher. After the configuration is complete this type of attack is impossible because Zesty will not accept vulnerable ciphers.
Zesty.io works to keep customer data private and secure. The change in Transport Layer Security Ciphers will be another step in preventing malicious parties from intercepting sensitive data as it travels to and from our service.
Questions? Please contact your dedicated account manager.
By Stuart Runyan
Developing web technologies is my passion! I'm focused on creating applications and experiences to solve the problems which today's digital marketers face. I believe in web standards, a mobile first approach, access for everyone, open source software and the democratization of information. My goal is to continue the Internet being pure awesome!