We want to keep you up-to-date on Fastly’s plan regarding the latest changes to the PCI DSS 3.1 standard, including changes to Transport Layer Security (TLS). In April 2015, the PCI Security Standards Council released the v3.1 update to the PCI DSS standard. This standard update excludes Secure Sockets Layer (SSL) 3.0, TLS 1.0, and some ciphers supported by TLS 1.1 from protocols supporting strong cryptography. This means the Council wants us to discontinue support for those protocols or ciphers, ensuring your ongoing security and that of your customers.
There have been serious and systemic security issues with earlier versions of TLS and its predecessor, SSL, including POODLE, Heartbleed, and LOGJAM. These threatened to break trust in fundamental methods of secure communication, exposing both you and your customers to breaches in security. The actions of the PCI DSS Council to maintain a high minimum bar are a step towards ensuring the security of all online business transactions.
These changes mean that Fastly has to raise the minimum versions of TLS we support, to notify you that we’re making these changes, and publish a plan on when and how impactful these changes may be to your applications. The following post outlines the Council’s changes and our plan for TLS 1.0 and 1.1 deprecation. This will exist as a record, for your reference; if you use TLS 1.0 or 1.1 for private communication to either client to edge and / or from the cache to origin data center, these changes will affect services on Fastly and we recommend you review this plan. Please reach out to our team at firstname.lastname@example.org with any questions or concerns.
Below are the specific requirements in the standard that have changed from previous versions of PCI DSS, and the subsequent action required:
2.2.3: Implement additional security features for any required services, protocols, or daemons that are considered to be insecure.
2.3: Encrypt all non-console administrative access using strong cryptography.
4.1: Use strong cryptography and security protocols to safeguard sensitive cardholder data during transmission over open, public networks.
Additionally, the updated requirements make distinctions between new and existing implementations of cryptographic protocols. Fastly is an existing implementation with services offered prior to the release of v3.1 requirements. This gives us time to disable support for the above protocols and allows you to adjust to these changes by lifting the the minimum client support to TLS 1.2 in order to ensure a seamless transition.
Based on Fastly’s existing implementation status, we have established the following migration plan to support TLS 1.2-only by June 30th, 2016, aligned with the Council's deadline of June 30th, 2016:
Continuously monitor the use of encryption protocols on the Fastly Network today.
As of this post, approximately 14% of traffic is using TLS 1.0, 0.05% of traffic is using TLS 1.1 and 85.95% of traffic is using TLS 1.2. SSL 3.0 was deprecated on October 14th, 2014 in response to the POODLE vulnerability.
Announce and communicate Fastly’s intention to migrate to TLS 1.2-only on July 1st, 2016 for both production and the Fastly administrative application.
Provide a Fastly migration deadline of inline with the PCI DSS v3.1 deadline of June 30th, 2016.
Disable TLS 1.0 and TLS 1.1 on June 30th, 2016.
We are using the time allowed by the PCI DSS v3.1 Council to notify you of our intention to deprecate TLS 1.0 and the weak ciphers in TLS 1.1 due to known weaknesses within these protocols. While a smooth transition in this case allows for minimal impact to those customers supporting older browsers and clients, we reserve the right to accelerate this migration if a vulnerability is discovered in order to protect both our customers and Fastly’s infrastructure.
If you have any additional questions or concerns regarding Fastly’s compliance effort, our PCI Level 1 Service Provider status, or questions about this migration plan, please feel free to contact our support team. We value your business and hope that this announcement demonstrates our commitment to keeping both you and your end users secure.