The Road Ahead

A recent and dangerous vulnerability has been found in the Apache Log4j logging software library. This is a widely used software library found in applications ranging from Apache through Minecraft through to complex web services.

We do not use Log4j in any of our products, services or websites. Nor do we use Apache in any of our hosting services. As per Microsoft's official response, we do not currently believe our servers and systems are exposed.

We are investigating whether any third-party service, product or application we may use is potentially at risk. If any are, we will mitigate the risk where possible and update when fixes are released.

We have removed support for TLS 1.0 and TLS 1.1 from our servers with immediate effect (16:00, 26th March 2020). This has been done to enhance the security of our services and is accordance with best practices as outlined in IETF RFC 7525. TLS 1.0 and 1.1 have known security issues and there are no fixes or patches available.

If you are using a certificate based on either of these protocols, you must update them with a TLS 1.2+ certificate immediately. If you are, or wish to be, PCI-DSS compliant, you should adopt TLS 1.2+.

Most mainstream web browsers will cease support for TLS 1.0 and TLS 1.2 in the first half of 2020. Approximate deadlines are:

• Microsoft IE & Edge - first half of 2020
• Mozilla Firefox - March 2020
• Safari/WebKit - March 2020
• Google Chrome - January 2020

Most web browsers will issue a security warning if you attempt to connect to a website using either TLS 1.0 or TLS 1.1. To ensure you receive the best possible protection, we advise you to upgrade your web browser to the latest version. Most web browsers will do this automatically.

Let's Encrypt / SSLForFree Certificates

All free certificates generated through our hosting control panel since the beginning of March have been TLS 1.2+.