In accordance with security best practice, we will be retiring support for the TSL 1.0 and 1.1 security protocols in the Dialog Insight platform as well as various weak Cipher Suites. Because most of software and operating systems released in the last 10 years are compatible with TLS 1.2 (including all currently supported Web browsers), most customers will be unaffected by this change

There is however an incompatibility risk for older non-browser software used for API integrations or applications running on older out-of-support operating systems. 

What is changing, and why now?

Transport Layer Security (TLS) is the successor of the older SSL protocol. It is the cryptographic protocol that secures communication when your browser or applications connect to the Dialog Insight platform. TLS has had many versions over the years to strengthen security as flaws are discovered in the protocol. Just like SSL versions 1.0, 2.0 and 3.0, TLS versions 1.0 and 1.1 are now considered insecure and should be disabled. We've kept compatibility with other versions for much longer than most, and now the time has come to remove the insecure versions. 

How to know if you are affected

If you only use modern Web browsers to connect to Dialog Insight and do not use any API integrations, you will not be affected. 

If you use our Web Services, your team should confirm that your systems and software are up-to-date and compatible with TLS 1.2. You might be affected if you use applications that do not receive regular updates, or older operating system / libraries.  Some examples:

Upgrades needed

  • Windows Server 2008 R2 or earlier
  • .Net 3.5 or below
  • OpenSSL 1.0.0 or below
  • Java 6

Configuration changes needed

  • Windows Server 2012
  • .Net 4.0 and 4.5
  • Java 7

Getting a bit more technical, our new security configuration will support the following TLS protocol versions and Ciper Suites: 

TLS 1.3

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256

TLS 1.2

  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256

Testing your TLS 1.2 compatibility

We have added temporary URLs * that you can use to connect to your account, which uses the new TLS configuration we will deploy on Oct. 19: 

You can test your applications against our new TLS configuration simply by sending some test calls from your application to the same URLs as before but using the test domains above. For instance, a call to the Contact.Merge API method that uses this URL: 

https://app.dialoginsight.com/webservices/ofc4/contacts.ashx?method=Merge

Can be tested by simply replacing the domain name in the URL: 

https://tlstest.dialoginsight.dev/webservices/ofc4/contacts.ashx?method=Merge

If the calls succeed, then your application is ready for the change. 

* As stated, these are temporary test domains. Use them to test your environments but do not transfer production workloads to these domains since they will only be online for a few weeks and their availability and configuration is subject to change without notice. 

What you need to do if you are affected

You need to update your software and systems to compatible versions before Oct. 19. 

If you are unable to do so by that date, you can also consider the option of implementing an outbound proxy server. An outbound proxy server is a server application that acts as an intermediary between your applications and the servers you need to connect to, which can manage the TLS 1.2 aspect of the connection on behalf of your application. The specifics of implementing a proxy server depends on your network configuration and Dialog Insight cannot make recommendations or assist in this process, but your team might consider this approach to be appropriate for your situation.