Many of you are questioning us following emails received from your banks regarding the shutdown of the TLS 1.0 and 1.1 protocols and the obligation to switch to the TLS 1.2 protocol. These emails are sent by banks that have set up a Virtual Electronic Payment Terminal (TPE) for our customers. They require that the servers with which they perform exchanges use only the TLS 1.2 protocol in order not to create a known security vulnerability. In order to meet this requirement, we updated our servers a few weeks ago to the TLS 1.2 standard.
You can check it from your browser by clicking on the pictogram symbolizing a padlock next to the URL of your OpenFlyers platform and then displaying the details. You should find the word TLS 1.2 in the information related to the certificate.
This concerns both TPE and non-TPE customers. Indeed, this is a standard that applies to all because based on the lack of known fault. The old protocols are considered unreliable.
As a reminder, all OpenFlyers platforms in version 4 are only with HTTPS access. Thus, even if the user indicates HTTP in the URL of his platform, the latter is "remanufactured" with the prefix HTTPS.
For version 3 or lower clients, HTTPS access is only present if the structure has subscribed to the HTTPS option. In addition, users must use the URL with the HTTPS prefix to benefit from this protection.
The impact for end users is normally low. Indeed, all recent versions of browsers are compatible with this protocol.
Nevertheless, you can find a list of compatible browser versions: https://caniuse.com/#search=TLS1.2
For information here are the version numbers from which the browsers are compatible TLS 1.2:
- Internet Explorer (which we strongly advise against in general): 11
- Edge: 16
- Firefox: 58
- Chrome: 49
- Safari: 11
- iOS Safari: 10.2
- Opera Mini: without restriction
- Chrome for Android: 64
- UC Browser for Android: 11.8
- Samsung Internet: 4
It must be understood that it is not just OpenFlyers but all the eCommerce sites that are impacted by this change. Also, for users who have not updated their browsers, they will not be blocked on OpenFlyers but on all eCommerce sites. It is therefore essential for them to update their browser.
There is also an impact for servers that interface with OpenFlyers for identification control. We have updated the example PHP script:
It should be noted that, for this script to work, the server must run on PHP 5.6 minimum and use OpenSSL 1.0.1 minimum.
OpenFlyers is committed to monitoring and complying with changes in standards and regulations. This security evolution follows that concerning the payment receipts (https://openflyers.com/en/news/final-ability-of-account-writings-and-payment-recusage) and which has imposed on us at January 1, 2018. In order to facilitate access to information, we have created a page on our public documentation that lists the regulations we are following: https://openflyers.com/en/doc/of4/Standards-and- regulations.