We plan two important changes in our platform that require your attention. Those changes will be effective on February 22nd 2018:
- we will stop the support of TLS 1.0 and TLS 1.1
- we will introduce a new IP range that will be visible by your origin.
1) TLS 1.0 and TLS 1.1 deprecation
TLS 1.0 and 1.1 are both fairly dated versions of the TLS protocol. TLS 1.0 was published in 1999 as RFC 2246 while TLS 1.1 was published in 2006 as RFC 4346. Many improvements have been made since the release of these versions and upgrading to the current standard (TLS 1.2) is now considered the safest and most reliable method for delivering encrypted content over the Internet.
Furthermore, the PCI Data Security Standard (PCI DSS) requires that we disable the use of any SSL/TLS 1.0 implementations by June 30, 2018. TLS 1.1 will still be accepted by PCI although they strongly recommend using TLS 1.2. Given the vulnerabilities TLS 1.0 and 1.1 are susceptible to and the recommendations provided by PCI, we’ll be deprecating support of both of these versions and moving ahead with more recent versions of the TLS protocol.
We see that 99.4% of current secure connections are done in TLS 1.2 in our platform. Most browsers have been supporting TLS 1.2 for at least a few versions with the exception of Internet Explorer. The most recent version (IE 11) does indeed support TLS 1.2, however, in versions 8-10 TLS 1.2 must be enabled manually and it is not supported in versions prior to 7.0.
Our main CDN - KeyCDN - will also discontinue the support of TLS 1.1 and TLS 1.2 on February 28th 2018.
Furthermore, we are keeping a close eye on TLS 1.3 and are planning to roll out support once it becomes an RFC standard. This will even further improve both security and performance.
2) New IP range that should be whitelisted
We have decided to acquire new IP addresses Blocks that will help us extend the capability of our infrastructure. This change will be effective on February 22nd 2018.
Please, make sure that the following IP addresses are whitelisted in your firewall system(s) in order to prevent any 502 response codes from being generated unexpectedly: following blocks (https://support.fasterize.com/fr/article/ip-lists/)