As promised in a previous post, I am getting back with details on our
planned changes to our security policy. These updates aim to increase
web site security by helping partner and customers better protect user
sensitive information like emails, passwords or payment details.
We've started to roll out these changes a few releases back and the
last ones will be included in the April release. Once completed, we are
going to start enforcing the new policies, with some impact over
non-compliant websites or clients. The planned cut over date is
29 April 2011. Here is an overview of planned changes, impacted
customers, required actions and timelines.
Deny HTTP calls in APIs
-
What: we'll be disabling all HTTP connections to
the BigTurns API. This will affect CatalystCRMWebservice and
CatalystEcommerceWebservice.
-
Why: although our API can be securely accessed over
secure URLs, we are not currently enforcing the rule and in some cases
the information might end up being transmitted over non-secure
connections. Starting April 2011, we are going to enforce security
standards for all sites, beyond the choices of the web developer.
- Impacted customers: All sites and applications
using BigTurns APIs over HTTP
- Impact and required action: API calls made over
HTTP throw an error. Partners will need to update all websites and
applications and make sure APIs are called over HTTPS. There is no
system downtime, but the BigTurns APIs will no longer be
available over HTTP after the cut-off date.
-
Date: 29 April 2011
We have already issued a warning about this planned restriction and
sent an email communication asking partners to update applications and
sites by 31January. However, we're going to extend the grace period
until 29 April. Beyond that date, any connection to BigTurns
APIs made through HTTP will be denied.
Deny HTTP calls that include customer sensitive information
-
What: we will start to deny all HTTP calls
containing payment information.
- Why: although the system provides the tools to
create secure websites and applications, we are not enforcing the rules
and in rare cases, sensitive information might end up being transmitted
over non-secure connections. In an effort to help our customers increase
their web site security and protect personal information, we are going
to enforce certain security standards, beyond the choices of the web
developer.
- Impacted customers: all sites using unsecured
web forms to collect payments. We will notify impacted customers directly, with list of sites and
instructions on how to become compliant.
-
Impact and required action: partners will need to
update customer websites that include non-secure forms to make sure
information is sent through HTTPS. There will be no system downtime, but
some web forms requiring payment might stop working if not updated
after 29 April 2011.
-
Timeframe: 29 April 2011
Upgrade Triangle to require HTTPS login
- What: starting with March 2011, we will change
the communication protocol used by Triangle extension to HTTPS.
- Why: increase data protection
- Impacted customers: BigTurns partners
using Triangle (old BC Dreamweaver extension).
- Impact and required actions: the current
version of Triangle (2.6.0) will no longer allow logins to BigTurns starting from 29 April 2011. Partners will have to download and
install an upgraded version of Triangle or upgrade their Dreamweaver
version and use the new BigTurns extension.
A new version of Triangle will be released in March 2011.
- Timeframe: 29 April 2011