Deprecation: TLS 1.0

Box Employee

On June 15, 2018, Box will disable the TLS 1.0 encryption protocol for all customers and continue to support TLS 1.1 and higher, which Box already supports. This will impact customers still using TLS 1.0 to connect to any Box service, including Box webapp, Box Sync, and APIs.

 

Here is some information to help you plan for the upcoming change:

 

What is TLS?

  • TLS stands for “Transport Layer Security.” It is a protocol that provides privacy and data integrity between two communicating applications. It’s the most widely deployed security protocol used today, and is used for web browsers and other applications that require data to be securely exchanged over a network. TLS ensures that a connection to a remote endpoint is the intended endpoint through encryption and endpoint identity verification. The versions of TLS, to date, are TLS 1.0, 1.1 and 1.2.
  • Box web and API connections, along with applications such as Box Sync and 3rd party apps, use TLS as a key component of their security. 

 

Why is TLS 1.0 being disabled?

  • Box is requiring an upgrade to TLS 1.1 or higher in order to align with industry best practices for security and data integrity. Box is focused on continually helping our customers improve their security by using the latest security protocols. In early 2018, Box will require TLS 1.1 and later encryption protocol in an effort to maintain the highest security standards and promote the safety of customer data.

TLS 1.1+ Compliant Browsers

To ensure that you are TLS 1.1+ compliant, make sure your browsers are updated to these minimum versions below prior to June 15, 2018 to continue to access Box:

 

Browser

TLS 1.1

TLS 1.2

Chrome

22-25+

30-32+

Safari

7+

7+

Firefox

27–33+

ESR 31.0–31.2+

27–33+

ESR 31.0–31.2+

Internet Explorer

11+

11+

Edge

All Versions

All Versions

 

TLS 1.1+ Compliant Box Desktop Applications

Box desktop products have been updated to meet the TLS 1.1+ compliance.  In order to be in compliance, you must be on the minimum versions below on both Mac and Windows machines. Additionally, all Windows machines must be on .NET 4.5.2 or higher in order for desktop applications to continue to work after the TLS 1.0 deprecation on June 15th, 2018.  

 

Unless you've somehow customized your installation of Box desktop products, all users will automatically update to at least the minimum compliant version below and no action is required. If you have customized the installation of these applications for your users in any way, you will need to ensure all your users upgrade to a minimum version prior to June 15, 2018 to continue to access Box. 

Note: The .NET 4.0 framework utilizes the TLS 1.0 protocol, making this framework non-compliant with the TLS 1.0 deprecation.

The minimum versions that comply are as follows:

 

Box Product

Minimum Compliant Version

Download Latest Version

Box Tools

Available now! 

 

Mac & Windows: 3.5+

Download here.

Box Sync

Long-term installer - 4.0.7901

 

Mac & Windows: 4.0.7900+

Download here.

Box Drive

Available now!

 

Mac: 1.7+

Windows: All Versions

Download here.

Box for Office

Available now!

 

Windows: 4.2.1220+

Download here.

 

TLS 1.1 Compliant 3rd Party Applications

Finally, in order to make sure that all 3rd party applications used by your organization are in compliance, please take action for the following prior to June 15, 2018 to continue to access Box:

 

Application Name

Upgrade Path

3rd Party Integrations 

Ensure your integration with Box is updated to TLS 1.1+ using the documentation found here

FTP

Ensure your FTP client is configured to support TLS 1.1+. Steps may include updating FTPS connection settings to support a minimum version of TLS 1.1 or higher. Please refer to documentation from your preferred FTP client.

WebDAV

Ensure your WebDAV client is configured to support TLS 1.1+.  Steps may include updating WebDAVS connection settings to support a minimum version of TLS 1.1 or higher. Please refer to documentation from your preferred WebDAV client.

 

 

Comments
Member

Is there a report I can run to determine which users are on an old Browser?