Accellion recently released a security patch, FTA_9_12_110, that allows IT administrators to disable TLS 1.0 and 1.1. (Accellion released a similar patch, kw_2016.02.00, for kiteworks customers in May.)
TLS, or Transport Layer Security, is a cryptographic protocol that provides communications security over a computer network. More simply, TLS provides the underlying security of an https connection. Similar to SSL (Secure Sockets Layer), TLS and TLS 1.0 are more current and have, until recently, been considered more secure.
Serious security issues however have emerged when TLS 1.0 is used. Specifically, a vulnerability was discovered in late 2014 that enabled a man-in-the middle exploit nicknamed POODLE (Padding Oracle On Downgraded Legacy Encryption). Researchers discovered they only needed to make 256 SSL 3.0 requests in order to reveal one byte of encrypted messages and that TLS 1.0 could also be exploited.
Concerns over the vulnerability were enough for the Payment Card Industry (PCI) Standards Council to declare TLS 1.0 no longer secure and established a deadline for compliance with TLS 1.2. As a result, after June 30, 2018, any organization using the TLS 1.0 protocol that accepts, transmits or stores any credit card number or cardholder data will no longer be PCI compliant. (It should be noted that the initial deadline was June 30, 2016 however so few companies were able to demonstrate compliance—Accellion was one of the few—that the deadline was extended two additional years.)
With Accellion’s latest security updates, IT administrators are able to disable TLS 1.0 and 1.1. This ensures that all client connections use the secure and approved TLS 1.2 protocol. Despite the fact this is the new security standard, the disabling capability remains an administrative function (read: optional) in order to support older clients that do not support TLS 1.0 and above.
For customers using either the Accellion kiteworks or Accellion File Transfer (aka “Classic”) solution, we strongly encourage you to update your system with these patches in order to comply with this new standard.
If you have any questions or issues, please contact Accellion Support: