Changes to TLS (and HTTPS) cipher suites

PassFort stores highly sensitive information, so we are continually assessing our security practices to ensure they are up-to-date. As a result of our latest assessment, we will be introducing a new security measure which has the potential to impact customers directly.

When clients connect to PassFort's portal or API over HTTPS, the client and server agree on a cipher to use for the encrypted communication. For this to succeed, there must exist a cipher which is supported by both parties. On PassFort's side, a set of supported ciphers has been chosen with the goal of maximum compatibility, since older clients may not support newer ciphers.

However, we have found that several of the ciphers we support are vulnerable to an attack known as LUCKY13. As a result, we will be restricting the cipher-suite we support to eliminate those ciphers which are vulnerable to this attack.

The following ciphers will continue to be supported:

  • ECDHE-ECDSA-CHACHA20-POLY1305
  • ECDHE-RSA-CHACHA20-POLY1305
  • ECDHE-ECDSA-AES128-GCM-SHA256
  • ECDHE-RSA-AES128-GCM-SHA256
  • ECDHE-ECDSA-AES256-GCM-SHA384
  • ECDHE-RSA-AES256-GCM-SHA384

It is important that any HTTP clients you use to connect to PassFort (whether that's a browser or a software library) support at least one of these ciphers. This should be the case for all existing browsers as long as they are up-to-date. If you are unsure which ciphers are supported by your HTTP client, you can follow the instructions at https://www.howsmyssl.com/s/api.html. If your client does not support one of these ciphers, then you may need to upgrade the client to a more modern version.

In order to make this transition as smooth as possible, customers will have 3 months before we begin rolling out the changes (i.e. we will begin rolling out changes from October). We will then begin a trial period where we temporarily enable the new measures. If no issues are reported following this event then we will continue and enable the new features permanently.