To ensure our service and software offerings remain as secure as possible, we continually update the security standards and protocols utilized. Sometimes, this can result in significant disruptions for customers if they do not keep their client systems and configurations consuming SaaS offerings (such as ArcGIS Online) up-to-date. Throughout 2019, there are multiple such significant changes occurring that you should be aware of and prepare for before they are enabled.
April 2019 – ArcGIS Online TLS 1.0 & 1.1 removal
ArcGIS Online currently supports TLS 1.0, 1.1, and 1.2, however on April 16, 2019 only TLS 1.2 will be available for clients to connect. The older protocol versions were published over a decade ago and many improvements have been made since their release, therefore TLS 1.2 is now considered the safest and most reliable method of delivering encrypted content over the Internet.
Furthermore, the PCI Data Security Standard (PCI DSS) and the FedRAMP authorization program require disabling SSL/TLS 1.0 implementations. TLS 1.1 will still be accepted by PCI and FedRAMP although they strongly recommend TLS 1.2. Given security concerns with both TLS 1.0 and 1.1 and the recommendations provided by multiple standards organizations, we are deprecating support of both versions moving forwards.
Most users accessing ArcGIS Online via a browser should not need to do anything, as TLS 1.2 is compatible with all recent major browser versions. Some ArcGIS Online clients, such as ArcGIS Pro, are already TLS 1.2 enabled. Esri software that requires action includes ArcGIS Desktop and applications built on and extending ArcGIS Desktop, ArcGIS Enterprise, applications built with ArcGIS Engine (ArcObjects), and partner extensions that access ArcGIS Online services. Go to the Esri TLS Support page for more information and specific actions you may need to take in advance of this update.
Upcoming ArcGIS Enterprise 10.7 – TLS 1.0, 1.1, and HTTP disabled by default
To help foster secure-by-default installations, only HTTPS with TLS 1.2 will be enabled for the upcoming ArcGIS Enterprise 10.7 release (ArcGIS Enterprise 10.6.1 defaults to disabling TLS 1.0, and previous versions default to using TLS 1.0, 1.1, 1.2, HTTP, and HTTPS). Note that performing an upgrade from a previous ArcGIS Enterprise version will not disable HTTP, TLS 1.0, or 1.1 (if they were enabled on the pre-existing deployment) to minimize disruption of customer operations – Customers performing an update can configure their ArcGIS Enterprise deployment to utilize only HTTPS and TLS 1.2 as documented in the online help.
Spring 2020– ArcGIS Online HTTP deprecation + HSTS enforcement
ArcGIS Online has always had an optional setting that allows organizations to require that all communication with their ArcGIS Online hosted organization & services must be over HTTPS (ArcGIS Online organizations established after the September 2018 release no longer allow enabling HTTP). In addition, ArcGIS Online supports HTTPS based communication to all shared services such as geocoding, routing and basemaps.
HTTP Strict Transport Security (HSTS) is a security enhancement that is specified by web applications through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain. It achieves this goal by automatically converting all plaintext links to secure ones. As a bonus, it also disables click-through certificate warnings.
In 2017, we transparently enabled HSTS for ArcGIS Online organizations that utilize the default organization setting that forces HTTPS for all communications. This means that all customer data is afforded the additional protection HSTS provides by default. It is important to note that organizations executing security tests (such as SSLLabs) against their organization URL will likely still see results indicating that HSTS is not enabled. This happens because all ArcGIS Online organizations access a common set of static files (some orgs access via HTTP and others access via HTTPS) and it is the accessing of the static files (not customer data) that results in tests failing for HSTS. We highlight this fact as it means your customer data is safe and this can be validated with tools such as Fiddler which will show the HSTS header associated with customer data access requests. This issue will go away when we shift all customers to use HTTPS.
Deprecating TLS 1.0 & 1.1 is expected to be a challenging task that we want to help with as much as possible by not compounding it with other major changes at the same time – Therefore, the final forced enablement of HTTPS and HSTS across all ArcGIS Online organizations is planned for spring of 2020. Upon this change being implemented, all customer HSTS tests will indicate successful results.
Beyond – More to come
TLS 1.3 – This new protocol standard was finalized in August 2018, therefore it is not widely available by cloud infrastructure providers or across browsers at this point as can be seen here. We will continue to monitor TLS 1.3 for future incorporation into ArcGIS Online and have already started incorporating TLS 1.3 compatible encryption modules into some products. We will provide notice when it is available as part of our offerings.
HSTS Preload List Entry – Upon forcing HTTPS only w/HSTS across organizations, we will not initially add the ArcGIS Online domain to the HSTS preload list, but will consider it in the future to ensure appropriate availability and stability of our offering.
As these changes are implemented, continue to refer to our ArcGIS SSL/TLS Briefing, located within the ArcGIS Trust Center documents.