Auth0 Security Notification:

Action Required:  Upgrade to TLS 1.2 or later

What is changing?

The Auth0 network edge and all Auth0 endpoints to only accept traffic secured with TLS 1.2 or later starting March 22, 2021. As of that date, any traffic secured with TLS 1.0 or 1.1 will be rejected.

Why are we making this change?

TLS 1.0 and 1.1 are legacy, insecure protocols. Continuing to support these protocols leaves our service vulnerable to TLS downgrade attacks, in which an attacker forces the connection to occur over a weaker TLS version that can be broken. Along with the rest of the industry, Auth0 is retiring support for these legacy protocols to better protect our customers and their traffic.

How are you affected?

Auth0 Response:  An internal traffic analysis indicates that your tenants are still using either TLS 1.0 or 1.1. The deprecation of these legacy protocols will therefore impact your tenants since any clients still attempting to connect with TLS 1.0 or 1.1 after March 22, 2021 will fail during TLS handshake. These errors will be visible to the client and will manifest as client-side connection-failures.

FileTrac Response:  FileTrac has always met this standard and this could relate to any of our customers using an old internet browser, such as Internet Explorer or others that are no longer supported or any legacy domains that have not been updated to current standards.  For anyone using the latest version of Chrome or Microsoft Edge, this should have no impact.

What action do you need to take?

Auth0 Response:  Upgrade your Auth0 clients to use TLS 1.2 or later, using modern, secure ciphers. For maximum security, we also recommend explicitly disabling TLS 1.0 and 1.1 where possible. The exact details and steps required will vary, depending on your application and client.

FileTrac Response:  Please click on the Tool link below in order to confirm that your browser meets the required standards.  If it does, then the top box will reflect that “Your user agent has good protocol support”.  If it does not say this, then please change your browser to a modern and currently supported browser or contact your internal IT department. 

https://clienttest.ssllabs.com:8443/ssltest/viewMyClient.html

Useful Resources: