TLS 1.2

TLS 1.2: Update 27 June 2018

 

What is TLS and SSL? (source: https://en.wikipedia.org/wiki/Transport_Layer_Security)

Transport Layer Security (TLS) – and its predecessor, Secure Sockets Layer (SSL), which is now deprecated by the Internet Engineering Task Force [1] (IETF) – are cryptographic protocols that provide communications security over a computer network.[2] Several versions of the protocols find widespread use in applications such as web browsingemailinstant messaging, and voice over IP (VoIP). Websites are able to use TLS to secure all communications between their servers and web browsers.

The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications.[2]:3 When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g., wikipedia.org) have one or more of the following properties:

  • The connection is private (or secure) because symmetric cryptography is used to encrypt the data transmitted. The keys for this symmetric encryption are generated uniquely for each connection and are based on a shared secret negotiated at the start of the session (see  TLS handshake). The server and client negotiate the details of which encryption algorithm and cryptographic keys to use before the first byte of data is transmitted (see § Algorithm below). The negotiation of a shared secret is both secure (the negotiated secret is unavailable to eavesdroppers and cannot be obtained, even by an attacker who places themselves in the middle of the connection) and reliable (no attacker can modify the communications during the negotiation without being detected).
  • The identity of the communicating parties can be authenticated using public-key cryptography. This authentication can be made optional, but is generally required for at least one of the parties (typically the server).
  • The connection is reliable because each message transmitted includes a message integrity check using a message authentication code to prevent undetected loss or alteration of the data during transmission.[2]:3

In addition to the properties above, careful configuration of TLS can provide additional privacy-related properties such as forward secrecy, ensuring that any future disclosure of encryption keys cannot be used to decrypt any TLS communications recorded in the past.[3]

TLS supports many different methods for exchanging keys, encrypting data, and authenticating message integrity (see § Algorithm below). As a result, secure configuration of TLS involves many configurable parameters, and not all choices provide all of the privacy-related properties described in the list above (see the § Key exchange (authentication), § Cipher security, and § Data integrity tables).

Attempts have been made to subvert aspects of the communications security that TLS seeks to provide, and the protocol has been revised several times to address these security threats (see § Security). Developers of web browsers have also revised their products to defend against potential security weaknesses after these were discovered (see TLS/SSL support history of web browsers).[4]

The TLS protocol comprises two layers: the TLS record and the TLS handshake protocols.

 

Sabre TLS/SSL Protocol

The SSL and TLS protocols are used in conjunction with a SSL web certificate to encrypt traffic between a  browser  and  web  application.  This  is  to allow  secure communication over  the  internet  for keeping private data private.

  • In 2015, PCI mandated that SSLv3 as well as TLS 1.0 not be used anymore and to use only TLS1.1 or higher. Sabre is mandating TLS 1.2 or higher. The original mandate for this was changed to allow, in certain circumstances, the use of SSLV3 and TLS1.0 until June 30th 2018.
  • SHS  no  longer  supports  SSLv3  for  incoming  connections  but  will  allow  outgoing  SSLv3  for reservation  delivery.  All  customers  need  to  upgrade  their  servers  to  support  TLS1.2  to  ensure future connectivity.
  • SHS no longer supports SHA1 for secure connections in favor of SHA2 (SHA256).

All customers need to upgrade their servers to accommodate this requirement in order to ensure connectivity.

  • SHA1 certificates are no longer renewable by any certificate authorities. Therefore, any certificate renewals   performed   by   SHS   will   be   SHA2. This   is   in   line   with   industry   wide   security measurements and SHS will abide by industry regulations.

 

Update as of June 30, 2018

Sabre no longer allows interfaces between its systems and third party vendors as of June 30, 2018 to be in PCI compliance. This removes the security vulnerability exposed by not having TLS 1.2 certification. There are no exceptions for hotels or brands, including Preferred Travel Group.

 

Procedures

If a hotel finds that its interface is down, they should call SHS Customer Care to identify the problem. If this is due to a TLS 1.2 certification issue, SHS can identify and share the IP address that requires certification. The hotel should then reach to the vendor that is responsible for that IP address and receive an upgrade to the required certificate.

Preferred Travel Group, Inc. has no involvement nor influence in interface certification and cannot assist in this process. During the time that the interface is down, the hotel is responsible for:

  • manually managing reservations between the CR and the PMS until the interface is reinstated.   
  • transmitting credit card information from the CR to the PMS booking.   This can be activated by SHS Customer Care.
  • ensuring any ARI settings are manually replicated between the two systems (two-way interfaces only).

Note that bookings will not be transmitted back up to the CR in a two-way enhanced interface.

 

Support

To solve the interface issue, please contact the vendor lacking the appropriate certification (this can be identified through the violating IP address from SHS Customer Care). Once the vendor has upgraded the certification, please contact SHS Customer Care to verify and reinstate the interface. Do not contact Preferred Travel Group as we are unable to upgrade systems to the correct certification.

 

Global SHS Customer Support Numbers: http://www.sabrehospitality.com/contact/customer-support

SHS Support Portal: https://sabrehospitality.my.salesforce.com/secur/login_portal.jsp?orgId=00D300000000A4i&portalId=06060000000D2J3

 

 

For Reference

Recent News: https://preferrednet.net/revenue-distribution/latest-news-updates/latest-news-updates/action-required-prepare-now-for-the-pci-mandate-july-2018/

Voice Agent Users: https://preferrednet.net/revenue-distribution/latest-news-updates/latest-news-updates/action-required-by-june-17-2018-synxis-voice-agent-windows-users-only-tls-12-mandate/

2015 Article From PCI about TLS 1.2 and Security Vulnerability: https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls

2017 Update From PCI about migrating from SSL to TLS 1.2: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

Oracle/Opera PMS Information: https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

Attachment: SSL/TLS Protocol Information

Attachment: SynXis Credit Card Access and Interfaces

Attachment: Credit Card Helpful Tips

Attachment: PCI TLS Resource Guide