7.5. Security Management
SOC2 type 2
Babelway has put in place an Information Security Management System (ISMS) compliant with ISO27001 guidelines. Babelway’s policy regarding security can be consulted online at http://www.babelway.com/security-policy. The system ensures processes are in place to meet the policy’s objectives.
Babelway complies with the SOC2 Type 2 norm since 2013 and is yearly audited by Kirkpatrick (and formerly by KPMG and Deloitte).
Certificate management
Selection of Trusted Root CA
Babelway user's has the ability to select explicitly the Trusted parties used for their secure transfer. However, for convenience, a general purpose default system list is also provided. This list is based on Mozilla trusted Certificate Authorities published on : https://firefox-source-docs.mozilla.org/security/nss/index.html
SFTP host key update
The host key of all SFTP servers used in Babelway gateways will be changed on May 1st 2023. This change could cause that your SFTP Client ask to add this new host key to the authorised key.
Security algorithms decommissioning plans
Babelway is taking the protection of customers' data very seriously. In order to maintain these highest security standards and promote security practices, Babelway occasionally needs to make security improvements and deprecate older encryption protocols.
SFTP hmac-md5, 3des-cbc, and sha1 decommissioning plan
Here is our plan to remove support for the deprecated hash algorithms, encryption methods and key exchange algorithms.
- MD5/sha1 : these hash algorithms are now highly unreliable and it is highly recommended to not use it for security reasons.
- 3des-cbc : This encryption algorithm has a lot of vulnerabilities and is also recommended to avoid using it in secure transactions.
The plan is aligned with these hash/encryption deprecation in Babelway system :
-
Phase 1: As of February, 2021, Babelway will start monitoring traffic and request customers to migrate.
- Phase 2: As of May 31 2021, Babelway will no longer support these hash/encryption/kex for SFTP gateways.
TLS 1.1 decommissioning plan
As a result of a directive from the NIH Information Security Program, Babelway will be decommissioning the Transport Layer Security protocol (TLS) 1.1 this summer. The TLS protocol is used to encrypt communications you submit and receive from Babelway systems so that the data is secure and inaccessible by third parties.
Here is our plan to remove support for TLS 1.1.
TLS (Transport Layer Security) is a cryptographic protocol used to establish a secure communication channel between two systems. It is used in Babelway to access the SelfService application as well as for the gateway using HTTP as their underlying protocols. see https://en.wikipedia.org/wiki/Transport_Layer_Security.
The plan is aligned with the TLS 1.0 sunset requirement for PCI-DSS compliance:
-
Phase 1: As of April 19, 2020, Babelway will deprecate TLS 1.1 on the SelfService application and Babelway API on www.babelway.net. TLSv1.1 usage is discouraged on all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2. Babelway will start monitoring traffic and request customer to migrate.
-
Phase 2: As of June 27, 2021, Babelway will no longer support TLS 1.1 over HTTPS on the SelfService application, Babelway API and gateways.
TLS 1.0 decommissioning plan
Here is our plan to remove support for TLS 1.0 and provide TLS 1.2 as the default encryption protocol.
TLS (Transport Layer Security) is a cryptographic protocol used to establish a secure communication channel between two systems. It is used in Babelway to access the SelfService application as well as for the gateway using HTTP as their underlying protocols. see https://en.wikipedia.org/wiki/Transport_Layer_Security.
The plan is aligned with the TLS 1.0 sunset requirement for PCI-DSS compliance:
-
Phase 1: As of July 15, 2017, Babelway will support TLS 1.2 (in addition to TLS 1.1) and TLS 1.0 on the SelfService application and Babelway API on www.babelway.net as well as for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2.
-
Phase 2: As of January 1, 2018, Babelway will no longer support TLS 1.0 over HTTPS on the SelfService application and Babelway API on www.babelway.net. Any older browser or API clients that do not support TLS 1.1 or TLS 1.2 will no longer work. The minimum version of browsers are Google Chrome 22 (June 2012), Firefox 23 (August 2013), Internet Explorer 11 (June 2013).
In order to test your implementation, you are welcome to use external tools such as https://www.howsmyssl.com/
. -
Phase 3: As of March 24, 2019, Babelway will no longer support TLS 1.0 for all gateways using a TLS protocols, including AS2, PEPPOL, HTTP, SOAP, REST, FTPS, OFTP2. Any client applications not supporting TLS 1.2 or TLS 1.1 will no longer work.
Below, please find the list of supported cipher suites:
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
- TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_CBC_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA256
Babelway will also update the restrictions on algorithms applied to TLS handshaking and certification paths processing.
The following algorithms will be disabled for TLS handshaking:
- SSLv3
- TLSv1
- RC4
- MD5withRSA
- DH with key size
- EC with key size
- DES40 CBC
- RC4 40
The following algorithms must not be used during certification path processing.
- MD2
- MD5
- RSA with key size
- DSA with key size
- EC with key size
It means that no signature algorithm involving MD2, MD5 will be used to verify a certificate. And the use of certificates with RSA/DSA key size less than 1024 bits in length or with EC key size less than 224 is restricted.
If you have any questions, please don’t hesitate to contact support@babelway.net
Internet Explorer 11 decommissioning plan
Microsoft drops support of Internet Explorer (IE 11) as of August 17, 2021.
For security reasons, we can no longer support these browsers as of that date. If you are currently using IE 11, we recommend you switch to Chrome/Firefox or Safari by that date.
This means that, after that date, new Tradeshift Babelway functionality may not work in Internet Explorer, and no minor bugs or cosmetic issues will be fixed for Internet Explorer.