Better security – dropping support for TLS 1.0

This change has been completed as of 14th August 2018.

Security Shield with Lock Icon Encrypted Data
In line with many other online services
Zamzar is announcing the end of support for TLS 1.0, a cryptographic protocol used to secure communications between your web browser (or API client) and our systems.

From August 8th 2018 August 14th 2018 the main Zamzar website and the Zamzar Developer API will no longer support secure connections using the outdated TLS 1.0 protocol, so you will need to plan accordingly. Read on for more information …

Why are you ending support?

In short – to make your use of our services more secure. Transport Layer Security (TLS) was originally developed by Netscape in the early 1990s and has undergone several revisions since then. TLS 1.1 was introduced in 2006, and TLS 1.2 in 2008, and both provide safer, more modern alternatives for connecting securely to web services. There are many serious vulnerabilities in TLS 1.0 which mean that is no longer safe to use reliably. The Payment Card Industry (PCI) Security Standards Council is also recommending that websites drop support for TLS 1.0.

What does this mean if I use the Zamzar website?

If you want to use the main Zamzar website at https://www.zamzar.com you will need to ensure you are using a modern web browser capable of using up-to-date security protocols – in practice this means using one of:

  • Chrome v22 or later
  • Firefox v27 or later
  • Safari v7 or later
  • Opera v12.18 or later
  • Internet Explorer 11 or later (or Edge)

Since the Zamzar website will no longer work with older web browsers we strongly recommend upgrading your browser before 8th August 2018 14th August 2018 in order to ensure you can continue using our services. After this date we cannot guarantee that you will be able to convert files via the website when using older browsers.

What does this mean if I use the Developer API?

If you use the Zamzar Developer API at https://developers.zamzar.com/ (and associated endpoints at sandbox.zamzar.com and api.zamzar.com) you should ensure that any client code that you use to connect to the API is not using TLS 1.0 to connect to our services.

We provide some guidance below on checking your TLS usage in popular languages, but you should also consult the “How can I test this?” section below to verify any updates or changes you make:

  • C# – Make sure that your client code is configured to use a modern TLS version for your System.Net.Http.HttpClient (see here for more info).
  • Curl – Supports TLS1.2 starting from v7.34, so ensure you are using this version or higher (download updates here).
  • Java – TLS 1.2 support was added to the JRE in 1.7.0_131-b12, so API calls made using older versions of Java may fail.
  • Node.js – Check the version of TLS that your “requests” package is using (see here for more info).
  • PHP – Uses the system-supplied cURL library, which requires OpenSSL. Ensure this version of OpenSSL is at v1.0.1 or later.
  • Python – Also uses the system OpenSSL so you should check this is later than v0.9.8. OpenSSL v1.0.1 supports TLS 1.1 and TLS 1.2 by default.
  • Ruby – Also uses the system OpenSSL. OpenSSL v0.9.8 will no longer work, but OpenSSL v1.0.1 or later will work since it adds support for TLS 1.1 and TLS 1.2.

How can I test this?

If you want to verify that your browser or client code is ok you can connect to https://www.zamzar.com/ to verify that you can still use Zamzar services.

If your connection is successful you should see the Zamzar website displayed.

For example in a web browser that works you will see:
zamzar-web-app

If using client code (for example cURL) you would see:
zamzar-web-app-curl

Further Questions

If you have any further questions on this topic or need any advice from our engineering team please get in touch with us at support@zamzar.com.

Happy secure converting!
The Zamzar Team.