Security Imperatives
Security Fundamentals for HTTPS and TLS.
Overview
In an era where cyber threats are increasingly sophisticated and prevalent, ensuring the security of our APIs is paramount. Requiring HTTPS for all API calls is a critical measure to safeguard data integrity, confidentiality, and authenticity. HTTPS encrypts the data transmitted between clients and servers, preventing unauthorized access and tampering by malicious actors. By ensuring the use of HTTPS, we protect sensitive information from being intercepted and ensure that our APIs remain a trusted and secure component of our digital infrastructure. This security measure not only aligns with industry best practices, but also fortifies our commitment to maintaining robust data protection standards for our users and stakeholders.
HTTPS requirement
The absence of HTTPS (Hypertext Transfer Protocol Secure) enforcement poses a significant vulnerability, exposing data to potential compromise.
Important:
All calls made to Bazaarvoice APIs require HTTPS. Starting
Aug 30, 2024, every Bazaarvoice API call must use HTTPS in order to return a successful response. All HTTP calls will be returned with a3XXresponse containing redirects with an amended URL containing HTTPS.
What is the impact of HTTPS enforcement?
Tip:
There will be no impact to any API calls made via HTTPS.
There is no additional validation for secured API calls made to our network. However, all HTTP calls will be validated via an additional flow internally and the following events will follow:
Impact on Bazaarvoice API response:
For every unsecured (HTTP) API call, Bazaarvoice will return a 3XX response.
STATUS 301
Returned on GET methods.
Error Message : "The resource has been permanently moved to a new location"
Code : "ERROR_MOVED_PERMANENTLY"
Response Body
{
"Includes": {},
"HasErrors": true,
"Offset": null,
"TotalResults": null,
"Locale": null,
"Results": [],
"Errors": [
{
"Message": "The resource has been permanently moved to a new location",
"Code": "ERROR_MOVED_PERMANENTLY"
}
],
"Limit": null
}
STATUS 308
Returned on POST/PUT/OPTIONS methods
Error Message : "The resource has been temporarily moved to a new location"
Code : "ERROR_MOVED_TEMPORARILY"
Response body
{
"Includes": {},
"HasErrors": true,
"Offset": null,
"TotalResults": null,
"Locale": null,
"Results": [],
"Errors": [
{
"Message": "The resource has been temporarily moved to the new location",
"Code": "ERROR_TEMPORARY_REDIRECT"
}
],
"Limit": null
}
Important
All POST/PUT requests directed to Bazaarvoice APIs will be temporarily redirected (status code
308) to the new location. While the technical classification is temporary, the server will effectively treat this as a permanent move.
Additional response headers
| Response Header | Description |
|---|---|
Location | Indicates the URL to redirect a page to. This header enables to redirect the API call to the URL passed, which is mostly automatic in all of the current web browsers. For server to server implementation, developers are requested to make the necessary changes to consume the Location header URL appropriately. |
Strict-Transport-Security | This header lets the websites tell a browser that it should only be accessed via HTTPS. |
Additional client facing impact
Important
Only calls made via HTTP may be subjected to increased latency and quota utilization or service disruption hazard.
In lieu to the changes made to enforce HTTPS at Bazaarvoice, it would create an impact on:
- Potential Service Disruption: There is a risk of potential service disruption for clients who are making HTTP calls, but have disabled automatic redirection in their implementation. In such cases, the HTTP call would just return a 3XX response, but will not redirect unless the Location header is consumed, leading to no response received for the original API query.
- Increased Latency: The extra validation will subject the latency to increase for HTTP calls by almost 100%, i.e., a call that usually takes 50 ms to return response, may take up to 100 ms post HTTPS enforcement.
- Increased Quota Utilization: Since a new corrected redirect URL is passed in the Location header, Clients would be subjected to making double the amount of API calls for a single operation. This would impact the passkey quota utilization and would increase the utilization by 2x times.
Note:
All Clients must ensure that all calls made to Bazaarvoice APIs are via HTTPS.
Transport layer security
Transport Layer Security (TLS) is a cryptographic protocol that secures data exchanged over networks. It replaces Secure Sockets Layer (SSL) and protects communication between web browsers and servers.
Some TLS configurations use weak ciphers—algorithms with known vulnerabilities. Attackers can exploit these ciphers to access or modify data. This is not recommended.
Action required:
To protect data and meet industry standards:
- Bazaarvoice strongly recommends using TLS 1.3. If TLS 1.3 is not possible to implement, use TLS 1.2 with strong cipher suites.
- Using weak cipher suites will cause your connection to fail and trigger an SSL/TLS handshake error message.
Cipher suites
A cipher suite is a set of security rules that keep online connections, like HTTPS, safe. During the SSL/TLS handshake, the client and server agree on one of the supported ciphers to securely lock and protect the information you send and receive.
What is TLS 1.3
TLS 1.3 is a modern security protocol. It provides stronger encryption, faster connections, and better privacy than TLS 1.2.
Key benefits
- Removes outdated algorithms like RSA key exchange and SHA-1.
- Reduces the handshake process from two round trips to one.
- Supports 0-RTT (Round Trip Time) mode for resumed/repeated connections, allowing faster reconnections.
Simplifies the protocol for easier configuration. - Enforces perfect forward secrecy by default.
- Encrypts more of the handshake, protecting sensitive data such as certificate details.
- Supports future cryptographic algorithms with an extensible design.
- Faster handshake and reduced latency thereby improve the application performance.
For clients using TLS 1.2
If you use TLS 1.2, upgrade to TLS 1.3 as soon as possible. Meanwhile, ensure TLS 1.2 uses strong ciphers:
- Use Elliptic Curve Diffie-Hellman Ephemeral (ECDHE).
- Use AES in Galois/Counter Mode (GCM), an AEAD cipher that avoids CBC vulnerabilities.
- Use SHA-2 (SHA256 or SHA384) instead of SHA-1 or MD5.
Supported strong ciphers
Bazaarvoice accepts only the following cipher suites for all incoming API calls. These cipher suites are configured in the staging environment for clients to test for compatibility. You can test these ciphers across all Bazaarvoice APIs.
| S.No. | Cipher Suite String | Strength | TLS version |
|---|---|---|---|
| 1 | TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 | Strong | 1.2 & 1.3 |
| 2 | TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 | Very strong | 1.2 & 1.3 |
| 3 | TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 | Strong | 1.2 & 1.3 |
| 4 | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 | Strong | 1.2 & 1.3 |
| 5 | TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256 | Strong | 1.2 & 1.3 |
| 6 | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 | Very strong | 1.2 & 1.3 |
Tips:
Refer to the following RFCs for the list of supported cipher suites:
Unsupported weak ciphers
Starting August 30, 2024, Bazaarvoice will not support weak cipher suites, as they are known for vulnerabilities and can expose data to attacks.
- What you must do: To connect with the Bazaarvoice API, you must upgrade to TLS 1.3 or use TLS 1.2 with strong cipher suites.
- What happens if you don't: Your connection will fail with an SSL/TLS handshake error message.
Important:
Consult your web infrastructure specialist to verify that no weak cipher suites are used on your servers or edge resources.
Here is the list of weak ciphers that are no longer supported:
| S.No. | Cipher Suite String | Strength |
|---|---|---|
| 1 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 | Moderate |
| 2 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | Moderate |
| 3 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 | Moderate |
| 4 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 | Moderate |
| 5 | TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA | Moderate |
| 6 | TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA | Moderate |
| 7 | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA | Weak |
| 8 | TLS_DHE_RSA_WITH_AES_256_CBC_SHA | Weak |
| 9 | TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA | Weak |
| 10 | TLS_RSA_WITH_AES_256_GCM_SHA384 | Weak |
| 11 | TLS_RSA_WITH_AES_256_CBC_SHA256 | Weak |
| 12 | TLS_RSA_WITH_AES_256_CBC_SHA | Weak |
| 13 | TLS_RSA_WITH_CAMELLIA_256_CBC_SHA | Weak |
| 14 | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA | Weak |
| 15 | TLS_DHE_RSA_WITH_AES_128_CBC_SHA | Weak |
| 16 | TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA | Weak |
| 17 | TLS_RSA_WITH_AES_128_GCM_SHA256 | Weak |
| 18 | TLS_RSA_WITH_AES_128_CBC_SHA256 | Weak |
| 19 | TLS_RSA_WITH_AES_128_CBC_SHA | Weak |
| 20 | TLS_RSA_WITH_CAMELLIA_128_CBC_SHA | Weak |
| 21 | TLS_RSA_WITH_3DES_EDE_CBC_SHA | Very weak |
Tip:
To find the list of weak cipher suites, refer to RFC 7540.
Strategies to mitigate weak cipher exploitation and enhance TLS Security
To ensure weak ciphers are not exploited, organizations can implement several solutions:
- Cipher Suite Configuration: Configure servers to use only strong, recommended cipher suites. This involves updating server settings to disable weak ciphers and enable strong ones, such as AES-GCM and ChaCha20-Poly1305.
- Regular Security Audits: Conduct regular security audits and vulnerability assessments to identify and address any use of weak ciphers.
- TLS Version Upgrade: Ensure that the latest versions of TLS are supported and enforced. TLS 1.2 or higher should be used, as older versions (e.g., SSL 3.0, TLS 1.0, and TLS 1.1) have known vulnerabilities.
- Server and Application Updates: Keep servers, applications, and libraries up to date with the latest security patches and updates. This helps close any vulnerabilities that may be exploited by weak ciphers.
- Strong Key Management: Implement strong key management practices, including the use of long, random keys and regular key rotation, to ensure that cryptographic keys remain secure.
- Client Configuration: Ensure that clients connecting to the server are also configured to use strong ciphers. This might involve updating client software or providing configuration guidelines to users.
Bazaarvoice strongly advocates security and strives to mitigate any and all potential risks and vulnerabilities. By implementing these security practices, organizations can significantly reduce the risk of weak cipher exploitation and enhance the overall security of their communications.
Updated 1 day ago