Raising the Security Bar with TLS 1.2

310
LaunchDarkly-SDK-TLS-1.2-Security-image

LaunchDarkly will require TLS 1.2 for all public connections after March 31, 2020.

LaunchDarkly has prioritized security and privacy from day one – we required secure web connections to the LaunchDarkly service ever since we opened our flag management doors in 2015. Like the majority of cloud services, we use Transport Layer Security (TLS) to ensure that any communication with LaunchDarkly is encrypted, authenticated, and reliably unaltered.

New minimum Transport Layer Security version

Currently, the LaunchDarkly service secures connections using TLS versions 1.0, 1.1, and 1.2. The Payment Card Industry Security Standards Council recommended vendors require at least TLS 1.1 by June 2018, but LaunchDarkly did not enforce a TLS 1.1 minimum at that time because LaunchDarkly does not process payments, and many of our customers still used TLS 1.0. Now, with major browser developers moving to a TLS 1.2 minimum by March 2020, LaunchDarkly has decided it is the correct time to make the change.

After March 31, 2020, LaunchDarkly will require TLS 1.2 for all public connections. What does that mean for you? Possibly nothing if your LaunchDarkly-powered application is running on a platform version that was released in the past 12 years since the TLS 1.2 protocol version was released. We’ve observed that most of our TLS 1.0 connections are originating from Android, Java, or .NET SDKs – likely running on very old platform versions. In fact, it seems likely that apps running on Java 7 (released 2011) or Android 4.3 (2012) might not support TLS 1.2 out of the box.

SDK End of Life Policy

A couple weeks ago, we announced an update to our End of Life (EOL) Policy for SDKs stating that we will actively support a platform version until it has reached EOL status. Most platform versions failing to support TLS 1.2 will no longer be supported by LaunchDarkly after February 29, 2020, when the End of Life Policy change takes effect. Some .NET applications may require configuration changes to support TLS 1.2.

Recommended SDK versions

Speaking of our EOL Policy, if you haven’t upgraded your LaunchDarkly SDK in the past year or two, now is a great time to do that so you can start off the new year with a fresh SDK version full of the latest enhancements. The current supported SDK versions are listed on the EOL Policy page, but I’ll summarize the deprecated versions below. I’ve omitted from the table SDKs without deprecated versions.

SDK-TLS-1.2-Security Update

Rest assured, LaunchDarkly’s Support and Customer Success teams will work closely with our customers who are making a significant number of web connections using TLS 1.0, so we can all move forward together to a world with better network security.

 

Avatar
Arun has been developing software professionally for over 20 years. Before joining LaunchDarkly, he was a team lead at Atlassian, where he was responsible for development and engineering operations of the Atlassian Marketplace; there he had the pleasure of working alongside John, Patrick, Alexis, and Maleko. Prior to that, he was an engineering manager at Coverity. Arun holds a MS in Computer Science and a BA in Linguistics from the University of Illinois. In his free time, he enjoys road cycling, brewing beer, and playing drums in a rock & roll band.