Update June 17th, 2019: LuxSci has pushed back the general date of the transition to TLS 1.2 only support to January 1st, 2020. This matches the timeline set my most browser vendors and others for abandoning the old versions of TLS and gives existing customers more time to upgrade their systems. However, new dedicated LuxSci customers will be placed on servers that support only TLS 1.2+ starting this week. The rolling update window is now January 1st through January 31st, 2020.
That said, LuxSci will still be transitioning to requiring TLS 1.2+ support for email transmission ("Forced TLS") during the July-August, 2019 window.
Additionally, any dedicated customer that would like to transition to TLS 1.2+ sooner, may do so at any time my asking LuxSci support.
See the original blog post: LuxSci to upgrade all Systems to support only TLS v1.2+ only
---------------------------------------------
LuxSci will be removing support for TLS v1.0 and TLS v1.1 from its services starting July 1st, 2019. This update will be a rolling change to all servers that will take place between July 1st and August 31st, 2019.
TLS v1.0 and TLS v1.1 are very old transport security protocols that have been succeeded by the much more secure TLS v1.2, which came out way back in 2008. All major web browsers released in the last 6+ years support TLS 1.2. Older web browsers may or may not support it (check your browser - https://www.projectdatasphere.org/projectdatasphere/html/tls/faq); however, less than 1% of web traffic across the world actually use the older protocols TLS 1.0 and 1.1.
TLS 1.0 and 1.1 are showing their age and security weaknesses have been cropping up for a while. Requirements for PCI compliance have mandated using TLS 1.2+ only since last summer and NIST best practices for TLS usage suggest moving away from older versions of TLS soon. LuxSci has been locking down dedicated customers that require use of only TLS 1.2+ for some time as well. In 2020, most major web browser vendors will be completely dropping support for TLS 1.0 and 1.1 as well. See: https://www.bleepingcomputer.com/news/security/tls-10-and-tls-11-being-retired-in-2020-by-all-major-browsers/
So, it really is time to give up the ghost. During the rolling maintenance period of July and August, LuxSci will be removing TLS 1.0 and 1.1 support on all dedicated and shared servers. This change affects:
* Web site hosting (i.e., what TLS versions your LuxSci-hosted web site will accept). * Email sending via SMTP * Email checking via POP and IMAP * LuxSci's WebMail and administration portals * LuxSci's Spotlight Mailer interface * LuxSci's SecureForm for posting services * Connections to LuxSci's APIs * Email open and click tracking * SMTP Forced TLS. We will only support forced outbound TLS with SMTP servers that support TLS v1.2+. We may still support opportunistic TLS with legacy SMTP servers; however, we will no longer consider such communications to be secure enough for compliance.
In general, most customers will not notice any difference. However, if you use old, legacy systems, you will want to be sure that you either (a) upgrade your systems, or (b) ensure that your systems will support TLS 1.2 for connections to LuxSci's servers.
For customers with dedicated servers that do not have specific compliance requirements (i.e., HIPAA or PCI), LuxSci can leave your server supporting TLS 1.0 and 1.1 through December 31st , 2019. If you require this extension, please contact LuxSci technical support.
Posted Apr 08, 2019 - 13:36 EDT
This scheduled maintenance affected: LuxSci Network Infrastructure, Shared WebMail, SecureForm, and LuxSci Secure Marketing v2.