Description of Change
At Zuora, the security and trust of our customers are of utmost importance to us. We are dedicated to safeguarding your data and continually enhancing our security measures. In line with this commitment, we are implementing important infrastructure changes to support the latest data transport standards while deprecating older encryption protocols and cipher suites. These changes are aimed at maintaining alignment with industry best practices for enhanced security. Please refer to the schedule below for the upcoming changes we will be making.
Scope of Change
Three items are included in this change:
Impact of Change
The upcoming changes will have the following impacts:
Data Center and Environment DetailsChange details per environment and data center are as follows:
All Data Centers
Adding three additional strong ciphers
Removing support for two older cipher suites:
Americas Cloud 2 (NA2) only
Please note that the cipher suites being deprecated are exclusive to Americas Cloud 2 (NA2). These cipher suites are not utilized in other environments such as NA1 and EU.
Change Schedule by Environment
The schedule for these changes and the impacted environments are as follows:
During Quarterly Maintenance
All API Sandbox & Central Sandbox Environments
May 18, 2024:
All Production Environments
Technical DetailsCiphers being deprecated (removed) from Americas Cloud 2 (NA2) only, All Environments
Equivalent RFC name
Ciphers supported following above changes (All Environments)
Highlighted are newly introduced TLS 1.3 ciphersFAQs
What is the reason behind Zuora's continued support for 128-bit CBC ciphers?
Zoura continues to offer support for two specific 128-bit CBC ciphers, recognizing that some customers heavily rely on these ciphers for their API integrations. Although we are aware of the significance of employing strong cipher suites, we understand that certain customers have constraints and dependencies related to these particular ciphers.Does Zuora's support for the two CBC ciphers pose a security risk?
Zuora continues to maintain the highest security ratings (A+) using standard measuring tools such as SSLLabs for the ciphers presently supported and 'to-be' supported following the above changes.
To understand the security risks of supporting these two CBC ciphers, it is important to understand how TLS works and the role Zuora's customers play in the connection process. During the initial TLS handshake, the client (customer) determines the strongest common cipher suite to be used in the transaction. The client achieves this by sending a ClientHello message to the server, which includes various details:
By exchanging the ClientHello and ServerHello messages, the client and server negotiate and agree upon the most secure TLS version, cipher suite, and other parameters for the session. This ensures a secure and mutually agreed-upon configuration for the transaction while leveraging the strongest common cipher suite supported by the client's integration.
To mitigate the potential risks associated with weak ciphers, it is crucial for customers relying on the two supported CBC ciphers to take proactive measures. Zuora strongly recommends the following actions:
By upgrading client-side software and implementing comprehensive security practices, customers can minimize the risk of weak cipher exploitation and maintain the integrity and confidentiality of their communications when interacting with Zuora's APIs.
How can I test and determine which cipher suites my integration supports?
Work with your internal integration support or Engineering teams to determine which cipher suites are supported by your integration.
Review integration documentation to determine cipher compatibility and support
Test and Validate your integrations once the API Sandbox changes have been made
NoteZuora recommends customers add support for stronger non CBC ciphers as we tentatively look end support for all CBC ciphers during our NEXT update cycle starting next year (October 2024 through May 2025)
Thanks for signing up!
You'll receive a weekly digest of must-read articles and key resources.