[Surfconext-sp-newsletter] SURFconext News SP-edition including; SameSite cookies | SURFsecureID key rollover | TLS 1.0 and TLS 1.1 deprecated | SP Dashboard development
SURFconext Nieuws
no-reply at surfconext.nl
Wed Jan 29 16:34:18 CET 2020
SURFconext News SP-edition 2020 #1
This newsletter will bring you information about new developments
regarding SURFconext, plans for the future, tips and tricks and will
appear on an irregular basis.
*Who receive this newsletter?*
All technical and administrative contacts of a service connected to
SURFconext will receive this newsletter. Subscribe here
<https://list.surfnet.nl/mailman/listinfo/surfconext-sp-newsletter> and
unsubscribe here
<https://list.surfnet.nl/mailman/options/surfconext-sp-newsletter>.
For an overview of all mailings by the SURFconext team, see the
following page.
In this edition:
1. New Chrome version changes the way it treats cookies
2. Heads-up: SURFsecureID key rollover
3. Keep your security up to date and remove TLS 1.0 and TLS 1.1
4. Customer satisfaction
5. SP Dashboard: let us know what you think
Chrome changes the way it treats cookies
As of version 80 of Chrome, that will be released the 30th of January,
Chrome changes the way it treats cookies. In particular, it will set a
new default for the SameSite parameter in cookies. It's important to
review your software and make sure you're not affected by this new
behaviour, since it could potentially break the SURFconext login.
Before Chrome 80, the default was "SameSite=none". The new default is
"SameSite=lax". Furthermore, cookies that have explicitly set this
attribute also need to have set the "secure" parameter. These parameter
changes could potentially break SAML implementations that have not set
those particular attributes on their cookies.
We have published documentation that includes some background
information and potential mitigating measures.
<https://wiki.surfnet.nl/display/surfconextdev/Default+cookie+SameSite+attribute+behaviour+change>
Heads-up: SURFsecureID key rollover
SURFsecureID will migrate to a new signing key because the current one
is almost 5 years old and will expire.
If your service is connected to SURFsecureID, you will need to take
action. Otherwise users will not be able to log in to your service
anymore. Most SP's can change their SAML connection from SURFsecureID to
SURFconext (and we'll enable SURFsecureID there). Others will need to
import new SURFsecureID metadata containing the new signing key. We're
working out the details, so you can read this message as a heads-up.
We will contact each SP directly via an email to their registered
contact email address with more detailed instructions. SURFconext
support is available for any questions or assistance at
support at surfconext.nl.
Keep your security up to date and remove TLS 1.0 and TLS 1.1
You need to keep traffic to your service secure so user can logon
safely. If you support the protocols TLS 1.0 and TLS 1.1 you need
disable these and start supporting TLS 1.2.
There are no fixes or patches that can adequately fix SSL or deprecated
TLS versions to keep user data safe. It is important that you upgrade as
soon as possible. Support for TLS 1.0 and TLS 1.1 will be removed from
browsers early 2020 so users will be locked out of your service if
secure versions are not supported. When you connected to SURFconext we
assessed your security measures and rated your service by using SSL
Labs. A+ is the highest possible rating. This rating is subject to decay
and will go down in February and will be at most B if you still support
TLS 1.0 and TLS 1.1. If this drops below B we will be in touch.
Consult the SSL Labs website for an overview of compatible user agents
<https://www.ssllabs.com/ssltest/clients.html> and compatibility with
the secure TLS 1.2. Read our wiki
<https://wiki.surfnet.nl/pages/viewpage.action?pageId=10125388> on how
to keep an A rating (or higher!).
Customer satisfaction
With 141 fully completed questionnaires (99 SP, 42 IdP), the response of
the last SURFconext customer satisfaction survey was above expectation.
Thank you all very much for filling in the questionnaire.
Outcomes
As was the case last time, the majority of the respondents are satisfied
with SURFconext. This is shown by the nice report figures. At the same
time, we can see that there is room for improvement. You mentioned a
number of specific topics, such as a more straightforward connection
process, more self-service, and integration with other SURF services.
What is the next step?
We will be using the coming period to convert these topics into concrete
plans. Many of the topics mentioned are already top priority, but this
survey will enable us to better prioritise them.
SP Dashboard: let us know what you think
If you are currently working with the SP Dashboard, and you miss out on
features or see things that could be improved, please let us know at
support at surfconext.nl. In the coming months we will be working on SP
Dashboard. Your input allows us to better assess which topics should
will be added first.
The SURFconext Service Provider Dashboard <https://sp.surfconext.nl/>
enables you to manage your service(s) on the SURFconext platform. It
allows you to create, test and edit entities before promoting them to
production.
------------------------------------------------------------------------
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://list.surfnet.nl/pipermail/surfconext-sp-newsletter/attachments/20200129/d8c1a7ca/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: foamecjiegbjlegb.png
Type: image/png
Size: 196654 bytes
Desc: not available
URL: <https://list.surfnet.nl/pipermail/surfconext-sp-newsletter/attachments/20200129/d8c1a7ca/attachment-0001.png>
More information about the Surfconext-sp-newsletter
mailing list