There is a lot happening in the software industry regarding TLS (Transport Layer Security) and we have a few announcements for what is going to be changing in the coming year with Lucity and TLS.
TLS supersedes SSL. Ideally all systems should be using TLS (v1.2) instead of SSL, so we will begin using the term TLS instead of SSL in all of our communications and documentation. Please note however, that most providers of security certificates (e.g. – DigiCert, Verisign, etc.) will still refer to them as SSL Certificates. Rest assured that any recent certificate that you’ve obtained from a reputable provider will support both the older SSL (v3) as well as TLS, so you won’t necessarily need to obtain a new certificate.
All security certificates should be using the SHA-2 encryption algorithm. If you are requesting a new certificate, or have requested one since November 2014, they should already meet this requirement. If you already have certificates, it is important to verify that they meet the SHA-2 requirement. See here for some discussion on why this is important.
Some features in modern browsers will stop working if you are not using TLS. For example, the Chrome browser will refuse to allow access to the user’s current location. This would prevent any “zoom to my location” features to work in web maps. This is not the only feature they are planning to block, but may be the first one your organization will notice. It is likely that more features will be deprecated over HTTP in the future.
Apple is also increasing requirements related to TLS. Starting the end of this year, Apple plans to block any app submissions to their app store that allow non-TLS connections. To be in compliance with Apple’s requirements Lucity will be requiring a TLS (v1.2) secure connection to Lucity Mobile Server in an upcoming release (Summer/Fall 2016). Regardless of what version of Lucity server you are on, to continue using the Lucity Mobile product for iPad and iPhone, you will be required to use TLS (v1.2) with a properly configured certificate.
We highly encourage you to consider TLS for all Lucity web server applications (Lucity Web, Lucity Citizen Portal, Lucity REST API, and Lucity Identity Server). This is particularly important for any of these applications exposed over the public internet.
If you have concerns or questions over these changes, please do not hesitate to contact us.