January 2020 Security Updates
by James Brown
As mentioned in our 2018 blog post entitled Upcoming Security Updates, EasyPost is officially phasing out support for older versions of the Transport Layer Security (TLS) protocol (formerly known as SSL, or Secure Sockets Layer) for connections to our API. TLSv1.0 and TLSv1.1 have known security risks, and have been phased out across the Internet in favor of newer versions since the publication of RFC5246 in 2008. Below is an updated schedule for this deprecation:
Tuesday, January 7, 2020 13:00 PST | TLSv1.0 disabled for 15 minute test |
Tuesday, January 14, 2020 13:00 PST | TLSv1.0 disabled for 15 minute test |
Wednesday, January 15, 2020 13:00 PST | TLSv1.0 permanently disabled |
Tuesday, January 21, 2020 13:00 PST | TLSv1.1 disabled for 15 minute test |
Wednesday, January 22, 2020 13:00 PST | TLSv1.1 disabled for 15 minute test |
Thursday, January 23, 2020 13:00 PST | TLSv1.1 permanently disabled |
At the conclusion of these changes, we will exclusively support the TLSv1.2 protocol. We expect to add experimental support for the TLSv1.3 protocol later in 2020.
As of January 15th, the following clients will no longer be able to access EasyPost:
- Java 7 or below
- easypost-ruby before v3.0.0, or any version of easypost-ruby running on Ruby < 2.0
- Python 2.6 or below (please note: all Python 2.x versions are now officially deprecated)
- Any .NET client on Windows Server 2008 R2 or below without following the instructions in KB4019276, and without installing .NET 4.5 or later.
- Any Unix-like operating system using OpenSSL 1.0.0 or below as the system TLS/SSL library (including Ubuntu 10.04, RHEL/CentOS 5, and other pre-2012 Linux distributions)
Our engineering and technical support teams have been working with customers for the last twelve months to ensure that everybody's updated, and we're glad to report that over 99.6% of our traffic now comes from supported clients. If you have any questions or concerns, please contact our support team at support@easypost.com.