Browser Update Recommended by July 1, 2017
[Webmaster Note: This announcement should not affect the overwhelming majority of our users. Continue to read if you are curious or if you are using a browser from the last century.]
From our Web provider FinalSite:
In order to ensure a high level of security in our systems, and in compliance with upcoming Payment Card Industry standards, as of July 1, 2017, Finalsite will no longer support TLS 1.0. Users with browsers older than IE11, Chrome 22, Firefox 27, Safari 7, and Safari Mobile 5 will not be be able to access secure Finalsite hosted content. Our reporting indicates that this is less than 1% of users who visit Finalsite websites.
What is TLS 1.0, and why should I care about it?
TLS 1.0 is an encryption protocol, which is a way to keep network communications (such as web traffic, emails, form responses, text messages - anything that can be sent via the internet) private so that only the sender and the receiver can read it. TLS 1.0 is one method of performing encryption, but it has been supplanted by newer methods, creatively named TLS 1.1 and TLS 1.2.
Sounds great. So what's wrong with it?
TLS 1.0 is, under certain conditions, vulnerable to technical exploits that can leak data that should otherwise be unavailable. As a result, the PCI SSC has determined that TLS 1.0 be completely deprecated no later than September, 2017. TLS 1.1 and TLS 1.2 are built around different, more modern encryption techniques which are not vulnerable to those exploits.
TLS 1.0 has been in use since 1999. TLS 1.1 arrived in 2006, and 1.2 came on the scene in 2008. This means that any browser made in the last 10 years already supports the secure TLS 1.1 and 1.2 protocols.
Only browsers that were released almost 20 years ago, and which have not been updated since, are still stuck using TLS 1.0. This is a vanishingly small proportion of site users, and this change is not expected to have an impact on site availability. TLS 1.0 has been out of use since it was shown to be less than totally secure; this update only makes that official by removing the capability to use TLS 1.0 from modern browsers.