Cipher Suite Change Reminder and How To Opt-Out of the Change

This is a reminder about the cipher suite changes that we announced last month, which will take effect soon on BrickFTP.

Beginning tomorrow, BrickFTP will be implementing the following changes:

• TLSv1.0 and TLSv1.1, which are insecure implementations of HTTPS used by Internet Explorer versions less than IE11 will no longer be supported. This will cause our site to stop working on IE9 and IE10 (unless their configuration is updated to allow newer TLS).
• SHA1 will no longer be supported as a supported message digest algorithm for SFTP.

[We also offer a way for you to opt-out of the changes. Please see below.]

Removing TLS1.0 is required by recent updates to the PCI standard, and it was recently announced that SHA1 has been broken and is no longer safe to use.

These changes will ensure that we remain one of the very few websites that earns an "A+" grade on the Qualys Labs SSL Grader, an automated audit of our implementation of SSL encryption for HTTPS.

The only action you need to take as a result of this change is to make sure that you aren't using Internet Explorer versions less than IE11, or using versions of FTP or SFTP clients that are outdated.

In response to customer requests, we have also added the ability for you to opt-out of these security updates. To opt out of the updates, please do the following:

• We have created a new option in our Configuration page, Security tab called "Enable Insecure Old Ciphers for HTTPS, FTPS, and SFTP for Compatibility."
• This new option will enable SSLv3, TLSv1.0, SHA1, and other ciphers that are known to be insecure but are required by older versions of clients.
• This option replaces a previous option that allowed SSLv3, but only for FTPS. The new option bundles all weaker ciphers into a single configuration option.
• Enable this option by signing in, clicking your name in the top right, click Configuration, then Security. It's the second option on the page.
• Changes will take place instantly.
• Please note that customers who enable this option will be directed to different physical servers (via different endpoint IP addresses) than customers who do not use this option. This way we can ensure that our main servers are fully locked down while enabling the weaker ciphers only for customers who need them.
• If you are whitelisting IP addresses, you should not need to whitelist any new IPs. We are just using a subset of our overall list for this opt-out program.
• Be aware that enabling this option is dangerous because an uninformed user of your site might think that they are using secure encryption when they are actually using encryption that is broken.
• You should treat all connections to your site as if they are fully insecure if you use this option.
• We strongly recommend that you do not use the opt-out option, but if you need it, it's here for you, either as a stopgap measure or for your permanent use.

And as always, if you require assistance with anything related to this security change, we're here for you! Just email support@brickftp.com or call 1-800-286-8372.