Transport Layer Security (TLS) is the primary method used to secure web and API connections on the Internet. TLS is a replacement of the older Secure Sockets Layer (SSL) technology, so every time you make a connection using https on a recent device, you’re using TLS.

Security Concerns with Early TLS Versions

The initial versions of TLS (TLS 1.0, and TLS 1.1) were found to have security vulnerabilities that weren’t fixable without making fundamental changes to TLS protocols that would not be backward compatible. Successor TLS versions (starting with TLS 1.2) addressed these vulnerabilities and have been available for more than twelve years.

Thankfully, traffic volume for earlier TLS versions has declined dramatically over the years. On old, unpatched devices that can’t support TLS versions 1.2 or greater, it’s no longer possible to load the Google homepage.

Deprecating Support for TLS 1.0 & 1.1

On March 25, 2021, the Internet Engineering Task Force (IETF) deprecated support for early versions of TLS prior to 1.2. As a result, many software tools and organizations have been disabling support for these earlier versions as well.

When we analyzed our traffic to ensure we could turn off deprecated TLS versions, we were surprised to discover we still have a very small amount of traffic using these versions. On a very old, unpatched phone, an open or read tracking API call to OneSignal could occur using TLS 1.0 or 1.1.

Unfortunately, there is no practical way for us to allow these endpoints to remain open and also ensure the security of our customers’ traffic, which is our highest concern.  With that in mind, we will disable TLS 1.0 and 1.1 support on all our endpoints no later than September 30, 2021, at 23:59:59 UTC.

Thankfully, the number of calls is minimal (well under .01% of all open events). This traffic is spread across a large number of our customers, so no individual customer will be heavily impacted by disabling these endpoints. If you have any additional questions or concerns, please feel free to reach out to us at support@onesignal.mydomain.com.

Want to stay in the loop with the latest OneSignal updates, share your feedback, and try out new features before they're released? Join our developer community to take advantage of these benefits and others.

Join our Developer Community