UPDATED: Security Enhancement - Enforcing SSL on api.datasift.com


#1

As explained in our previous post; Security Enhancement: Enforcing SSL on api.datasift.com, DataSift will be introducing some security enhancements around the use of SSL on the DataSift platform.

This post provides some updated timeframes from the aforementioned post.

March 1st, 2016

We will be changing our load-balancing configuration for app.datasift.com and api.datasift.com. The intention is that this has no impact to our customers. The only visible changes should be:

  • DNS will resolve to different IPs:
    • api.datasift.com - 185.20.5.46
    • app.datasift.com - 185.20.5.44
  • New SSL certificate
  • Minor changes to HTTP headers, none that should impact service

Crucially HTTPS will not be mandatory, and SSLv3 will still be supported for HTTPS connections

May 3rd, 2016

  • We will mandate TLSv1.2 for all SSL connections on api.datasift.com and app.datasift.com. SSLv3 and TLSv1.0 will not be supported
  • HTTP will still be supported

July 11th, 2016

  • HTTPS will be mandatory for api.datasift.com. All HTTP requests will be denied. Redirects will not be used due to security issues
  • All HTTP requests on app.datasift.com will be redirected to HTTPS

Next Phase (Date TBC)

  • HSTS to be implemented to protect against protocol downgrade attacks.

#2

Updated Timeline for May 3rd, 2016

On May 3rd, 2016, we no longer plan to mandate TLSv1.2 for SSL connections to api.datasift.com. The following changes will still be taking place;

  • SSLv3 will be disabled on HTTPS on api.datasift.com
  • All SSL protocols except TLSv1.2 will be disabled on HTTPS on app.datasift.com (the web UI); all modern browsers support this protocol

Further security enhancements to the API will be introduced with the next major update to our API; v1.4