Salesforce Communities - Security

  • 31-10-2019
  • Author : Bespoke Community

Salesforce Communities - Security

                           Salesforce is disabling TLS 1.1 and TLS 1.2 is a requirement for Communities and Sites.

What does it mean for you? Let's deep dive into it.

What is Transport Layer Security (TLS)?
 TLS is used in authentication, privacy, and data integrity between two computer applications that are communicating with each other.
Web Browsers need data to be exchanged securely, and TLS is the protocol that comes handy. It  is used for the following :  -
  • File Transfers.
  • Browser Sessions. 
  • Virtual Private Networks connections.
  • Remote Desktop Sessions.
  • Voice Over IP.
TLS can be used by websites to secure all communications between their servers and web browsers.

History and Development

TLS 1.0 was introduced in January 1999 and was an upgrade to SSL Version 3.0. The differences between this protocol and SSL 3.0 are not dramatic, but they are significant enough to insist it’s usage over SSL. 
The TLS protocol specification defined two layers: - 
  • TLS record protocol - provides connection security
  • TLS handshake protocol - enables the client and server to authenticate each other and to negotiate security keys before any data is exchanged. 
TLS Attacks
TLS has a history of attacks. Some of them are -
BEAST attack (2011) - A weakness in the cipher block chaining (CBC) was abused to extract unencrypted plaintext in an encrypted session. This happened over a browser session. The vulnerability of the attack had been fixed with TLS 1.1, but TLS 1.1 did not see a wide adoption.
CRIME and BREACH attacks (2012 and 2013) - An attacker could recover the content of web cookies when data was compressed along with TLS. This attack could extract login tokens, email addresses or other sensitive information from TLS encrypted cookie. This could only be possible if the victim would click on a malicious link, which would then inject javascript content into the page thereby revealing the cookie content.
Heartbleed (2014)- Private keys are linked to Public certificates, which would enable authentication. This attack exposed the private keys thereby allowing attackers to steal data.

Introducing TLS 1.2 

TLS 1.2 is a popular choice these days and it provides a lot of improvements in security as compared to TLS 1.1. The major differences include the following:
  • The SHA-1 is replaced with SHA-256, which makes it robust.
  • The digital signing in SHA-1 is replaced with a single hash which is created when the handshake initiates.
  • Clients and Servers can now specify the accepted hashes and algorithms.
  • Other data modes could use authenticated encryption.
  • AES cipher suites were added along with TLS extensions.
  • Tightened up other requirements.
  • Elliptical curve cryptography(ECC) can be used due to the use of SHA-256 in TLS 1.2.
Salesforce require TLS 1.2 for HTTPS Connections in Communities and Sites -
                    For HTTPS Connections in Communities, TLS 1.2 is a mandatory update in Summer 19. After 25th October 2019, it has been made mandatory. Salesforce is disabling TLS 1.1, which means it will no longer be used. All inbound or outbound connections from your Salesforce communities must use TLS 1.2. Communities that are created after this date will use TLS 1.2.
My Two Cents
TLS 1.3, has been introduced in 2018, but even in 2019, Salesforce still requires TLS 1.2 for HTTPS connections for Communities and Sites. 
The new 1.3 version offers enhanced security and performance. TLS 1.3 was developed for the following reasons:
  • To reduce the various weaknesses that have been exposed.
  • Reduce the chance of implementation errors, and remove features no longer needed.  

The advantages of TLS 1.3 over TLS 1.2 are:

  • Faster Speed - TLS 1.3 provides improved speed as compared to TLS 1.2. TLS 1.2 takes two round-trips to finish a TLS handshake whereas, TLS 1.3 needs only one round-trip to complete a TLS handshake. So, it reduces the encryption latency by one-half. With the help of this feature, websites can be browsed faster and more securely by the users.
  • Enhanced Security - TLS 1.3 has wrote off the features that caused the attacks. With this simplified way, which makes websites safer for users in terms of privacy and propriety. Also, it reduces the risk of cyberattacks.
  • The Implementation of TLS 1.3 should be simple as it is designed to flawlessly replace TLS 1.2 and it also uses the same certificates and keys. 

Salesforce should have considered TLS 1.3 for HTTPS connections for Communities and Sites because of enhanced security and performance.