Does the Esri ArcGIS Platform and TLS Protocol Support Update affect you?

The short answer is most likely.

On Nov. 14, 2018, Esri released Important Updates for the ArcGIS Platform and Transport Layer Security (TLS) Protocol Support. This update requires ArcGIS Online clients all over the globe to be compliant with TLS 1.2 by February 2019.  

If you are a regular Esri Online client user, you’re thinking that’s a little over two months’ notice plus we are the midst of holiday season and end of the year. From our experience with Esri over the years, we cannot remember many situations where Esri released a significant update with such a short time frame. With the shorter than usual deadline, we are taking this update seriously.

Most GIS managers we’ve spoken with are finding themselves in a bit of a scramble to understand what’s going on, negotiate and plan within their organization to have the updates applied by February. In the post below we dig into the details and outline an initial action plan to help you get started.

 

Where did this security-focused update originate?

Esri products are widely used in the private and public sectors. Some of the data traditionally regarded as open data have recently been hacked and forged for evil purposes, and unfortunately, could be the prompt for this update.  

As we face with the ever-intense battle between privacy, hacking and protection, Esri has taken an almost unprecedented step to better secure the data, spatial and non-spatial, on the Esri enterprise ecosystem. 

LOGIC suggests all Esri users move to TLS 1.2 as early as possible, not only because Esri says so, but also because TLS 1.2 does offer more secure communication.

 

What is TLS and most importantly, what’s the difference between TLS 1.2 and 1.1?

TLS (Transport Layer Security) is a cryptographic protocol to encrypt the data transmitted over networks. TLS is the successor of SSL (Secure Sockets Layer), even though most people outside of the security domain are still referring to the protocol as SSL.

 

What makes TLS 1.2 an improvement over 1.1?  

TLS 1.2 has a more secure and dynamic encryption method than its earlier 1.1 release.

  • TLS 1.2 uses more secure hash algorithms such as SHA-256. TLS 1.1 uses SHA-1. SHA-256 generates a 256-bit-long hash code, while SHA-1 generates a 160-bit-long hash code. Due to SH-1’s smaller bit size, TLS 1.1 has become more susceptible to attacks, which led significant SSL certificate issuers to deprecate SHA-1 beginning in January 2016.

  • TLS 1.1 uses the MD5/SHA-1 combination in the digitally-signed element which translates into TLS 1.1 negotiating a single hash during the digital handshake process. In layman’s terms, instead of using a single hash, TLS 1.2 generates a dynamic hash code for network communication. This is the advantage of using TLS 1.2; it’s more secure than the static hash code in TLS 1.1.

How can you tell whether your website or webpage is using TLS 1.2 or 1.1 for encryption?

You can run a website or page through an ssllabs test to check whether it is using TLS 1.2 encryption. The results will reveal the information regarding what the site is using for security protocols, the cipher suites, etc.

 

If you are an Esri Online products user, you are most likely affected by this update. What should you do?

LOGIC’s Suggested Initial Action Plan: 

  1. Understand the full scope of the update’s impacts. Read the Esri announcement to determine which of your products will be affected. To be thorough, you also need to scan your website and webpages for any service hosted by Esri. For example, if you happen to use Esri base maps or Living Altas, Esri will stop delivering the expected content if you don’t update the TLS to 1.2. 

  2. Consult with the security experts and Esri specialists to come up with a plan.

  3. Present a strong case to your management team with a specific timeline, and sort out the priorities with the stakeholders.

  4. Apply the patches and fixes in a test environment to learn all lessons and make needed adjustments.

  5. Start putting the plan into action on the production environment with clear communication to your end users.

Esri didn’t specify a date in February 2019 on removing the support on previous versions of TLS. There is a chance for an extension, but we suggest addressing this update well before the listed deadline of February 2019.  

As you begin the update process, the LOGIC team is here to help. Please reach out to us with questions or to ask for advice.