Skip to Content
Author's profile photo Former Member

SCN is continuously improving security

Dear members of the SAP Community Network

As a reaction to the recent disclosure of weaknesses in the SSL[1] protocol suite we have launched an initiative to provide stronger, state-of-the-art encryption technology to SCN users via HTTPS[2] . It includes the following improvements:

  1. Dropping support for all versions of the SSL protocol – in favor of the successor protocol TLS[3]  (version 1.0, 1.1, and 1.2) for encryption via HTTPS
  2. Subsequently replacing all HTTPS X.509 Server Certificates with new certificates that provide SHA-2[4]  signatures for more reliable verification by your browser[5]
  3. Optionally offering Perfect Forward Secrecy[6]  to clients that support it (support for Perfect Forward Secrecy will probably be extended to even more browsers in the near future)
  4. We are dropping support for weak encryption ciphers including RC4[7]  and subsequently also 3DES[8]  to avoid a false sense of security – especially when connecting over an untrusted network, like a public WiFi network or a shared computer in an Internet café

Most of our activities to improve the quality of service are completely transparent to all our end-users. However, in some cases technical restrictions forbid to implement important changes in a backward-compatible way; a tradeoff that may then affect a specific fraction of the user-base. The last point in the above list represents such a change.

By dropping support for weak encryption, users of some older browser-software (for which no updates and support are offered) will no longer be able to establish a secure connection via HTTPS protocol with SCN systems. Currently, we are aware that only users of Microsoft Internet Explorer 8 (or earlier) on Windows XP operating system may no longer be able to access all of the SAP Community Network via HTTPS (because this combination depends on weak ciphers (RC4 or 3DES). Logon may fail and consequentially only anonymously accessible content can be viewed via unencrypted HTTP protocol. However as more and more of our web applications will be accessible via HTTPS only in the future, the impact may become more significant. For users not able to update to a more recent version of Windows than XP SP2, there is a temporary workaround to access our sites by using an alternative browser like for example Firefox, which you can download and use freely[9] .

However, this workaround cannot be considered a solution as Microsoft has officially declared end of life for Windows XP more than 6 months ago, and warns that “it’ll become five times more vulnerable to security risks and viruses”[10] . If you are personally affected by this change, maybe you can use this reference to convince your local IT team that you have a business need for an upgrade.

In the coming years we may be forced to further tighten the HTTPS settings and stay up-to-date reflecting proper mitigation as more vulnerabilities are identified and disclosed. We will always try to do this with the least possible drawback and regression for end-users and aim to announce such changes as early as possible. On behalf of my team I apologize for the inconvenience this may involve. Thank you for your understanding!

Best Regards

Fabian Krönner

Team Lead for Production Management of External Community Portals

External References:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

[2] https://en.wikipedia.org/wiki/HTTP_Secure

[3] https://en.wikipedia.org/wiki/Transport_Layer_Security

[4] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm

[5] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

[6] https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_forward_secrecy

[7] https://en.wikipedia.org/wiki/RC4

[8] https://en.wikipedia.org/wiki/Triple_DES

[9] https://www.mozilla.org/en-US/firefox/all

[10] http://windows.microsoft.com/en-us/windows/end-support-help

Assigned Tags

      32 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Lucas Gabriel Correa da Costa
      Lucas Gabriel Correa da Costa

      Hi, Any chance of releasing the user migration at some point?

      Thanks

      Author's profile photo Oliver Kohl
      Oliver Kohl

      Hi Lucas,

      is this off topic? What do you mean by user migration?

      Thanks,

        Oliver

      Author's profile photo Lucas Gabriel Correa da Costa
      Lucas Gabriel Correa da Costa

      Hi Oliver, yes I guess it's a little bit off topic...Sorry for that.

      I mean, I used to have another SCN user, attached to an S-Number, which was deactivated. I would like to migrate all connections, points to this new one..

      Cheers.

      Lucas

      Author's profile photo Oliver Kohl
      Oliver Kohl

      Hi Lucas,

      there is no migration option at this point, but we are working on a long term solution.

      Best,

        Oliver

      Author's profile photo Lucas Gabriel Correa da Costa
      Lucas Gabriel Correa da Costa

      Thanks for the feedback

      Cheers,

      Lucas

      Author's profile photo nikhil k
      nikhil k

      Hello Oliver,

      Is there any option to change the Email ID for the Old SCN user ID. I was Having User ID when i was contract employee in SAP with the employee ID C5174548 , User name was also with the same name. In 2013 December , i lot the access to that user ID even if i knew the password for that. Is there any way to get that user ID back. I had so many discussion done with that user ID and it would be great if i get back that and start using it.

      Below is link of my previous User ID.

      http://scn.sap.com/people/c5174548/profile

      Thank you.

      BR,

      Nikhil Kulkarni

      Author's profile photo Oliver Kohl
      Oliver Kohl

      Hi Nikhil,

      at this point there it is not possible to change the user ID, but we are working on a long term solution.

      Author's profile photo Florian Henninger
      Florian Henninger

      Nice one. Good to see the upcoming improvements. Security is always a very sensitive theme.

      Also cool that you took some time to share weblinks about it.

      ~Florian

      Author's profile photo Kiran Basavaraju
      Kiran Basavaraju

      Good One.. !

      Author's profile photo Darshan Pithadiya
      Darshan Pithadiya

      Good

      Author's profile photo BACHINA RAJESH
      BACHINA RAJESH

      good

      Author's profile photo Former Member
      Former Member

      It is no big surprise, when this step taken by SAP team. As i have seen since years SAP never compromises on Security and many other such Attributes. 😎

      Author's profile photo Former Member
      Former Member

      nice.

      Author's profile photo Former Member
      Former Member

      While the Transport Layer Security (TLS) cryptographic protocol superceeds SSL in the protection of web applications, the additional checks could lead to some delay in the HTTPS session establishment. Thanks for update.

      Author's profile photo Former Member
      Former Member
      Blog Post Author

      Hello Waldemar

      You are correct that the more advanced ciphers often (but not always) come with a performance penalty. Most notably when Perfect Forward Secrecy with Diffie–Hellman key exchange is negotiated during the initial handshake. In the future, we may add support for Elliptic Curve ciphers if possible to reduce this impact. (Elliptic curve cryptography - Wikipedia, the free encyclopedia)

      However, this drawback should be partially compensated by AES encryption with  hardware acceleration which is present in most current processor generations (e.g. Intel's AES-NI) and which should be able to effectively reduce the processor utilization once the HTTPS session is established.

      Please also bear in mind that Perfect Forward Secrecy is an optional feature and we offer conventional key exchange as a fallback configuration to the client.

      Best Regards

      Fabian

      Author's profile photo Former Member
      Former Member

      Good...

      Author's profile photo Niladri Bihari Nayak
      Niladri Bihari Nayak

      Is google chrome ok?

      Author's profile photo Swanand Arun Panchi
      Swanand Arun Panchi

      I am not a Technical person but i understood that this update is for security purpose.

      I want to see Mobile application for SCN. Are you planning for it??

      Author's profile photo Florian Henninger
      Florian Henninger

      Because you doing your work also mobile with your phone? I don't see a good reason that SCN should go for mobile devices...

      But hey, perhaps I'm wrong with my point of view

      ~Florian

      Author's profile photo Former Member
      Former Member

      Because reading SCN blogs on a mobile device on a trip back home from work is definitely a bad idea? I don't see why such a simple request should meet negative criticism specially when the whole world is going mobile, let alone SAP's own mobile apps.

      Not only should SCN go native mobile, they should come up with a decent app to use their learning hub on tablets too. After all, what use is all the promotion of SAP Mobile Platform, UI/UX if their own content can't be displayed on user friendly and engaging mobile app?

      Swanand

      There's no dedicated app but you can use jive mobile classic as described here:

      Mobile Browsing Using SCN Mobile Apps: iOS, Android, Blackberry

      -Aabhas

      Author's profile photo Florian Henninger
      Florian Henninger

      That's why I said, I' probably wrong 😉

      In my opinion I don't see a need to get SCN full used in mobile devices.

      Reading is today no problem, at least if you use a windows phone.

      The learning Hub is another tiopic to discuss. Don't mix it up. I absolutely agree with the LH.

      ~Florian

      Author's profile photo Oliver Kohl
      Oliver Kohl

      Hi Swanand,

      the should still work: Mobile Browsing Using SCN Mobile Apps: iOS, Android, Blackberry

      But there is always a plan for a better mobile experience.

      Best,

        Oliver

      Author's profile photo Swanand Arun Panchi
      Swanand Arun Panchi

      Thanks a lot

      Author's profile photo Former Member
      Former Member

      Thanks for the update.

      Author's profile photo Tony Castillo
      Tony Castillo

      Good, Thanks.

      Author's profile photo Shailendra Karada
      Shailendra Karada

      Good

      Author's profile photo Gabriel Moreno
      Gabriel Moreno

      Thanks for the update.

      Author's profile photo Puneet K. Tripathi
      Puneet K. Tripathi

      Great , Thank You.

      Author's profile photo Puneet K. Tripathi
      Puneet K. Tripathi

      Thank for update.

      Author's profile photo Jago Livingstone
      Jago Livingstone

      Thanks for the update.

      Author's profile photo Former Member
      Former Member

      Good one!

      Author's profile photo Former Member
      Former Member

      Good