TLS cipher suite changes

48 views
Skip to first unread message

Developer at MBTA

unread,
Nov 2, 2021, 4:01:51 PM11/2/21
to MBTA Developers

Hi developers, 

The MBTA is working toward the goal of strengthening the security of our web applications. We recently dropped support for TLS 1.0 and 1.1, two outdated protocols for transmitting data securely online. 

Soon, we will be taking the additional measure of removing support for weak ciphers in TLS 1.2. This is being done to: 

  • Ensure online communication between the MBTA and its customers is secure 

  • Ensure that the data exchanged is trustworthy and that it cannot be manipulated by third parties 

  • Ensure forward secrecy of data, meaning that the content of communications remains encrypted in the future even if the underlying keys used to encrypt it are compromised 

Beginning on 11/15/21, the V3 API will only support connections using TLS 1.2 and the following cipher suites: 

  1. TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 

  1. TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 

  1. TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 

  1. TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 

Additionally, we are planning on implementing support for TLS 1.3 as soon as it is supported by our infrastructure providers. 

We are announcing this change proactively, as it may impact the availability of the V3 API from some older clients and devices, including (but not limited to): 

  1. Windows 8.1 and older 

  1. Windows Server 2012 R2 and older 

  1. iOS 8.4 and older 

  1. macOS/OS X 10.10 and older 

If you rely on a device or operating system which does not support TLS 1.2 with the cipher suites listed above, we recommend that you upgrade as soon as possible in order to maintain a secure browsing experience online. 

–Developer@MBTA

Reply all
Reply to author
Forward
0 new messages