Are you ready for TLS 1.0 disablement in your Salesforce org?
By now you have probably seen some notices from Salesforce warning that TLS 1.0 is no longer going to be allowed when connecting to Salesforce via an HTTPS connection. TLS 1.0 disablement will be activated via a Critical Update, which had an original auto-activation date of March 4, 2017; however, to ensure their customers are fully prepared, Salesforce just announced that they are extending the disablement date to July 22, 2017. If you haven’t yet finalized your preparation, you now have a few more months to take action.
What is TLS?
TLS stands for Transport Layer Security and it’s a standard, or protocol, for encrypting connections over the internet between two devices so that third parties cannot decipher the messages passed back and forth between the two devices. Whenever you use an https connection rather than an http connection, your device uses TLS to secure the connection against attacks to steal data. TLS 1.0 is almost 20 years old now, and two newer versions that have stronger protections against attacks are currently in use, TLS 1.1 and TLS 1.2.
What does TLS have to do with Salesforce?
When you log into your Salesforce org, notice that the URL in the address bar of your browser begins with “https” rather than “http”. That means that TLS is being used to encrypt the data being transferred between your computer, tablet, or phone and the Salesforce server. This encryption is important because you wouldn’t want some third party listening in to be able to get your Salesforce password or company data stored in your Salesforce database. Any login to Salesforce, whether it’s by a user logging in from a cell phone or a non-Salesforce application logging in to run an automated sync, TLS is used to secure the connection. After TLS 1.0 disablement, only devices using TLS 1.1 or TLS 1.2 will be able to make an https connection to Salesforce.
Why is Salesforce making this update?
PCI Security Standards have deprecated TLS 1.0 and there is an industry-wide movement away from TLS 1.0. Salesforce is making the update to help customers maintain the security of their data and continue to be PCI compliant.
What might be affected when TLS 1.0 is disabled in your Salesforce org?
Users with browsers that are incompatible with TLS 1.1 and TLS 1.2 or not configured to use one of those standards will not be able to log in to Salesforce and will see an error message. For example, Internet Explorer versions 7 through 10 have to be configured to use TLS 1.1 or TLS 1.2 rather than TLS 1.0, and versions earlier than 7 don’t have any support for TLS 1.1 or TLS 1.2.
Any integrations to your Salesforce org that don’t support TLS 1.1 or TLS 1.2 will fail after the update is activated. For example, you’ll need to upgrade Salesforce for Outlook to a newer version if you’re running less than v3.0.0.
How can I find out what version of TLS my users and integrations are using?
The best way to find out is to check the login history for your Salesforce org. You can access the login history for your org in the Force.com Setup menu. From the Login History page, you can download a file with information about all of the TLS 1.0 logins to your org in the past six months. You can analyze this data to determine which users may need to upgrade their browsers or Microsoft integration applications such as Salesforce for Outlook.
If you still have users who are using an outdated browser and need to update their settings themselves, you can install an AppExchange Package offered by Salesforce to display warning messages to users still on TLS 1.0: TLS 1.0 Compatibility User Message.
For a quick, one click test to see if your browser is compatible, go to https://tls1test.salesforce.com/s/.
If you use any third party apps from the AppExchange that sync information with other servers or use any in-house applications that connect to Salesforce, make sure to check, and upgrade, those, if needed.
Where can I find out more?
Salesforce has a couple of very comprehensive articles offering detailed information on the full impact of TLS 1.0 disablement.
Salesforce Knowledge Article: TLS 1.0 Disablement Critical Update Console (CRUC) Setting
Salesforce Knowledge Article: Salesforce disabling TLS 1.0