As promised in a previous post, I am getting back with details on our planned changes to our security policy. These updates aim to increase web site security by helping partner and customers better protect user sensitive information like emails, passwords or payment details.

We've started to roll out these changes a few releases back and the last ones will be included in the April release. Once completed, we are going to start enforcing the new policies, with some impact over non-compliant websites or clients. The planned cut over date is 29 April 2011. Here is an overview of planned changes, impacted customers, required actions and timelines.

Deny HTTP calls in APIs

  • What: we'll be disabling all HTTP connections to the BigTurns API. This will affect CatalystCRMWebservice and CatalystEcommerceWebservice.
  • Why: although our API can be securely accessed over secure URLs, we are not currently enforcing the rule and in some cases the information might end up being transmitted over non-secure connections. Starting April 2011, we are going to enforce security standards for all sites, beyond the choices of the web developer.
  • Impacted customers: All sites and applications using BigTurns APIs over HTTP
  • Impact and required action: API calls made over HTTP throw an error. Partners will need to update all websites and applications and make sure APIs are called over HTTPS. There is no system downtime, but the BigTurns APIs will no longer be available over HTTP after the cut-off date. 
  • Date: 29 April 2011

We have already issued a warning about this planned restriction and sent an email communication asking partners to update applications and sites by 31January. However, we're going to extend the grace period until 29 April. Beyond that date, any connection to BigTurns APIs made through HTTP will be denied.

Deny HTTP calls that include customer sensitive information

  • What: we will start to deny all HTTP calls containing payment information.
  • Why: although the system provides the tools to create secure websites and applications, we are not enforcing the rules and in rare cases, sensitive information might end up being transmitted over non-secure connections. In an effort to help our customers increase their web site security and protect personal information, we are going to enforce certain security standards, beyond the choices of the web developer.
  • Impacted customers: all sites using unsecured web forms to collect payments. We will notify impacted customers directly, with list of sites and instructions on how to become compliant.
  • Impact and required action: partners will need to update customer websites that include non-secure forms to make sure information is sent through HTTPS. There will be no system downtime, but some web forms requiring payment might stop working if not updated after 29 April 2011.
  • Timeframe: 29 April 2011

Upgrade Triangle to require HTTPS login

  • What: starting with March 2011, we will change the communication protocol used by Triangle extension to HTTPS.
  • Why: increase data protection
  • Impacted customers: BigTurns partners using Triangle (old BC Dreamweaver extension).
  • Impact and required actions: the current version of Triangle (2.6.0) will no longer allow logins to BigTurns starting from 29 April 2011. Partners will have to download and install an upgraded version of Triangle or upgrade their Dreamweaver version and use the new BigTurns extension. A new version of Triangle will be released in March 2011.
  • Timeframe: 29 April 2011