Update (Dec 22, 2016): The Payment Card Industry Security Standards Council has extended its deadline for phasing out TLS 1.0. As a result, we are re-evaluating our deprecation schedule for SHA-1 based ciphers, TLS 1.0, and TLS 1.1. Our SHA-1 signed certificate will still expire on December 29th.
We’re sticklers for API backwards-compatibility and make potentially breaking changes only when absolutely necessary. Our users’ security is paramount, so deprecating these outdated technologies is one of those rare cases. We hope their flawed designs become footnotes in cryptographic history as quickly as possible.
Why SHA-1, TLS 1.0 and 1.1 are insecure
SHA-1 is one of the algorithms you can use to authenticate who you’re talking to. It’s now considered dangerously weak, and might allow an adversary to spoof their identity. This is why all modern browsers have stopped accepting SHA-1 certificates.
TLS 1.0 and 1.1 ensure that your communications stay private. In order to do this, they generate a series of random bytes used to encrypt your connection. TLS 1.0 provides two ways of doing this (CBC and RC4), but several vulnerabilities have been discovered in both of them (including BEAST and the RC4 biases). If you kept using old versions of TLS, someone could theoretically sniff your connection.
As a result, Stripe and the rest of the internet are moving towards SHA-2 and TLS 1.2. These technologies have few known attacks and were subject to more rigorous security design than their predecessors.
What this means for you
The upgrade process will be seamless for most users. At the application layer, SHA-2 and TLS 1.2 behave identically to their older versions. You won’t need to change your code, but might need to upgrade your operating system or packages. To avoid any disruption, we’ll notify you directly if we expect your integration to be affected.
- Starting July 1, 2016, for new Stripe users, we will only accept API requests made with TLS 1.2.
On January 1, 2017, we will drop support for SHA-1 in favor of SHA-2. We will also drop support for TLS 1.0 entirely.
On May 1, 2017, we will drop support for TLS 1.1 entirely.
If you’ve upgraded your Stripe library and operating system in the past year, you probably won’t need to do anything. You can proactively check whether your Stripe integration is ready, and how to upgrade, by following the steps on our TLS deprecation page.
As always, if you have any questions, please don’t hesitate to get in touch.