Upcoming Security Updates
by James Brown
The EasyPost engineering team is dedicated to providing secure and reliable logistics services to our customers. During 2018, we will be phasing out support for certain older, less-secure encryption protocols to improve your security and to help with your compliance needs. If you use an outdated platform, you may experience difficulties when calling EasyPost services. Please reach out to support@easypost.com if you need assistance determining whether you will be affected by these changes.
On March 1, 2018, we will be disabling all triple-DES (a.k.a. 3DES, a.k.a. DES3) cipher suites. The Data Encryption Standard (DES) dates back to 1975 and has been considered extremely weak for decades; 3DES is a system which applies DES three times with three independent keys, but has been considered broken since the release of the Sweet32 attack in 2016. Our internal analytics show that there are no longer any customers relying on 3DES. This change will, however, mean that EasyPost properties can no longer be accessed from customers using Internet Explorer on Windows XP. There is no safe way to browse the web using Internet Explorer on Windows XP, and we strongly recommend that any such customers upgrade to either a newer operating system or a newer browser such as Mozilla Firefox or Google Chrome.
By June 1, 2018, we will be disabling TLS version 1.0 for our website (www.easypost.com
). The TLS 1.0 protocol is the successor to SSL 3.0 and was introduced in 1999 and superseded by newer versions of TLS in 2006. It has been considered moderately broken for at least the last eight years. This change is required for all websites which process any credit card information as per new Payment Card Industry guidelines. We are applying this change first to our website, which hosts the form that accepts customer payment information. This change will make our website inaccessible to the following clients:
- Android 4.3 or below
- Internet Explorer 10 or below on any version of Windows
- Java 7 or below
- Safari on Mac OS X 10.8 or below
- Any browser on iOS 5 or below
We strongly recommend that any customers using any of these environments upgrade as soon as possible.
By December 1, 2018, we will be disabling TLS 1.0 for our API (api.easypost.com
) for much the same reasons as above. The following common API client platforms do not support modern, secure cipher suites and therefore will no longer be able to reach EasyPost:
- Java 7 or below
- easypost-ruby before v3.0.0, or any version of easypost-ruby running on Ruby < 2.0
- Python 2.6 or below
- Any .NET client on Windows Server 2008 R2 or below without following the instructions in KB4019276, and without installing .NET 4.5 or later.
- Any Unix-like operating system using OpenSSL 1.0.0 or below as the system TLS/SSL library (including Ubuntu 10.04, RHEL/CentOS 5, and other pre-2012 Linux distributions)
Starting after June 1, we will run brief tests where we disable TLS < 1.2 to api.easypost.com to measure client auto-negotiation of TLS 1.2.
These changes are in line with general industry practice; below are some transition documents from other technology companies:
- Stripe
- Salesforce
- Comodo
- PayPal
- Apple enforced TLS 1.2 for all iOS applications with App Transport Security in iOS 9