Dear members of the SAP Community Network

As a reaction to the recent disclosure of weaknesses in the SSL[1] protocol suite we have launched an initiative to provide stronger, state-of-the-art encryption technology to SCN users via HTTPS[2] . It includes the following improvements:

  1. Dropping support for all versions of the SSL protocol – in favor of the successor protocol TLS[3]  (version 1.0, 1.1, and 1.2) for encryption via HTTPS
  2. Subsequently replacing all HTTPS X.509 Server Certificates with new certificates that provide SHA-2[4]  signatures for more reliable verification by your browser[5]
  3. Optionally offering Perfect Forward Secrecy[6]  to clients that support it (support for Perfect Forward Secrecy will probably be extended to even more browsers in the near future)
  4. We are dropping support for weak encryption ciphers including RC4[7]  and subsequently also 3DES[8]  to avoid a false sense of security – especially when connecting over an untrusted network, like a public WiFi network or a shared computer in an Internet café

Most of our activities to improve the quality of service are completely transparent to all our end-users. However, in some cases technical restrictions forbid to implement important changes in a backward-compatible way; a tradeoff that may then affect a specific fraction of the user-base. The last point in the above list represents such a change.

By dropping support for weak encryption, users of some older browser-software (for which no updates and support are offered) will no longer be able to establish a secure connection via HTTPS protocol with SCN systems. Currently, we are aware that only users of Microsoft Internet Explorer 8 (or earlier) on Windows XP operating system may no longer be able to access all of the SAP Community Network via HTTPS (because this combination depends on weak ciphers (RC4 or 3DES). Logon may fail and consequentially only anonymously accessible content can be viewed via unencrypted HTTP protocol. However as more and more of our web applications will be accessible via HTTPS only in the future, the impact may become more significant. For users not able to update to a more recent version of Windows than XP SP2, there is a temporary workaround to access our sites by using an alternative browser like for example Firefox, which you can download and use freely[9] .

However, this workaround cannot be considered a solution as Microsoft has officially declared end of life for Windows XP more than 6 months ago, and warns that “it’ll become five times more vulnerable to security risks and viruses”[10] . If you are personally affected by this change, maybe you can use this reference to convince your local IT team that you have a business need for an upgrade.

In the coming years we may be forced to further tighten the HTTPS settings and stay up-to-date reflecting proper mitigation as more vulnerabilities are identified and disclosed. We will always try to do this with the least possible drawback and regression for end-users and aim to announce such changes as early as possible. On behalf of my team I apologize for the inconvenience this may involve. Thank you for your understanding!

Best Regards

Fabian Krönner

Team Lead for Production Management of External Community Portals

External References:

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566

[2] https://en.wikipedia.org/wiki/HTTP_Secure

[3] https://en.wikipedia.org/wiki/Transport_Layer_Security

[4] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm

[5] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/

[6] https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_forward_secrecy

[7] https://en.wikipedia.org/wiki/RC4

[8] https://en.wikipedia.org/wiki/Triple_DES

[9] https://www.mozilla.org/en-US/firefox/all

[10] http://windows.microsoft.com/en-us/windows/end-support-help

To report this post you need to login first.

33 Comments

You must be Logged on to comment or reply to a post.

      1. Lucas Gabriel Correa da Costa

        Hi Oliver, yes I guess it’s a little bit off topic…Sorry for that.

        I mean, I used to have another SCN user, attached to an S-Number, which was deactivated. I would like to migrate all connections, points to this new one..

        Cheers.

        Lucas

        (0) 
          1. nikhil k

            Hello Oliver,

            Is there any option to change the Email ID for the Old SCN user ID. I was Having User ID when i was contract employee in SAP with the employee ID C5174548 , User name was also with the same name. In 2013 December , i lot the access to that user ID even if i knew the password for that. Is there any way to get that user ID back. I had so many discussion done with that user ID and it would be great if i get back that and start using it.

            Below is link of my previous User ID.

            http://scn.sap.com/people/c5174548/profile

            Thank you.

            BR,

            Nikhil Kulkarni

            (0) 
  1. ANWAR HUSSAIN

    It is no big surprise, when this step taken by SAP team. As i have seen since years SAP never compromises on Security and many other such Attributes. 😎

    (0) 
  2. Waldemar Schneider

    While the Transport Layer Security (TLS) cryptographic protocol superceeds SSL in the protection of web applications, the additional checks could lead to some delay in the HTTPS session establishment. Thanks for update.

    (0) 
    1. Fabian Kroenner Post author

      Hello Waldemar

      You are correct that the more advanced ciphers often (but not always) come with a performance penalty. Most notably when Perfect Forward Secrecy with Diffie–Hellman key exchange is negotiated during the initial handshake. In the future, we may add support for Elliptic Curve ciphers if possible to reduce this impact. (Elliptic curve cryptography – Wikipedia, the free encyclopedia)

      However, this drawback should be partially compensated by AES encryption with  hardware acceleration which is present in most current processor generations (e.g. Intel’s AES-NI) and which should be able to effectively reduce the processor utilization once the HTTPS session is established.

      Please also bear in mind that Perfect Forward Secrecy is an optional feature and we offer conventional key exchange as a fallback configuration to the client.

      Best Regards

      Fabian

      (0) 
    1. Fabian Kroenner Post author

      Hello Niladri

      Yes, Google Chrome is also compatible with the described changes to our HTTPS configuration. However, please be aware that Google started to phase out support for 32-bit operating systems starting with the Max OS X version. I mentioned only Firefox explicitly, because I am not sure when Google might do the same for the Windows version of the Chrome browser.

      Best Regards

      Fabian

      (0) 
    1. Florian Henninger

      Because you doing your work also mobile with your phone? I don’t see a good reason that SCN should go for mobile devices…

      But hey, perhaps I’m wrong with my point of view

      ~Florian

      (0) 
      1. Aabhas K Vishnoi

        Because reading SCN blogs on a mobile device on a trip back home from work is definitely a bad idea? I don’t see why such a simple request should meet negative criticism specially when the whole world is going mobile, let alone SAP’s own mobile apps.

        Not only should SCN go native mobile, they should come up with a decent app to use their learning hub on tablets too. After all, what use is all the promotion of SAP Mobile Platform, UI/UX if their own content can’t be displayed on user friendly and engaging mobile app?

        Swanand

        There’s no dedicated app but you can use jive mobile classic as described here:

        Mobile Browsing Using SCN Mobile Apps: iOS, Android, Blackberry

        -Aabhas

        (0) 
        1. Florian Henninger

          That’s why I said, I’ probably wrong 😉

          In my opinion I don’t see a need to get SCN full used in mobile devices.

          Reading is today no problem, at least if you use a windows phone.

          The learning Hub is another tiopic to discuss. Don’t mix it up. I absolutely agree with the LH.

          ~Florian

          (0) 

Leave a Reply