SCN is continuously improving security

Dear members of the SAP Community Network

As a reaction to the recent disclosure of weaknesses in the SSL^[1] protocol suite we have launched an initiative to provide stronger, state-of-the-art encryption technology to SCN users via HTTPS^[2] . It includes the following improvements:

1. Dropping support for all versions of the SSL protocol – in favor of the successor protocol TLS^[3]  (version 1.0, 1.1, and 1.2) for encryption via HTTPS
2. Subsequently replacing all HTTPS X.509 Server Certificates with new certificates that provide SHA-2^[4]  signatures for more reliable verification by your browser^[5]
3. Optionally offering Perfect Forward Secrecy^[6]  to clients that support it (support for Perfect Forward Secrecy will probably be extended to even more browsers in the near future)
4. We are dropping support for weak encryption ciphers including RC4^[7]  and subsequently also 3DES^[8]  to avoid a false sense of security – especially when connecting over an untrusted network, like a public WiFi network or a shared computer in an Internet café

Most of our activities to improve the quality of service are completely transparent to all our end-users. However, in some cases technical restrictions forbid to implement important changes in a backward-compatible way; a tradeoff that may then affect a specific fraction of the user-base. The last point in the above list represents such a change.

By dropping support for weak encryption, users of some older browser-software (for which no updates and support are offered) will no longer be able to establish a secure connection via HTTPS protocol with SCN systems. Currently, we are aware that only users of Microsoft Internet Explorer 8 (or earlier) on Windows XP operating system may no longer be able to access all of the SAP Community Network via HTTPS (because this combination depends on weak ciphers (RC4 or 3DES). Logon may fail and consequentially only anonymously accessible content can be viewed via unencrypted HTTP protocol. However as more and more of our web applications will be accessible via HTTPS only in the future, the impact may become more significant. For users not able to update to a more recent version of Windows than XP SP2, there is a temporary workaround to access our sites by using an alternative browser like for example Firefox, which you can download and use freely^[9] .

However, this workaround cannot be considered a solution as Microsoft has officially declared end of life for Windows XP more than 6 months ago, and warns that “it’ll become five times more vulnerable to security risks and viruses”^[10] . If you are personally affected by this change, maybe you can use this reference to convince your local IT team that you have a business need for an upgrade.

In the coming years we may be forced to further tighten the HTTPS settings and stay up-to-date reflecting proper mitigation as more vulnerabilities are identified and disclosed. We will always try to do this with the least possible drawback and regression for end-users and aim to announce such changes as early as possible. On behalf of my team I apologize for the inconvenience this may involve. Thank you for your understanding!

Best Regards

Fabian Krönner

Team Lead for Production Management of External Community Portals

External References:

^{[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566}

^{[2] https://en.wikipedia.org/wiki/HTTP_Secure}

^{[3] https://en.wikipedia.org/wiki/Transport_Layer_Security}

^{[4] https://en.wikipedia.org/wiki/Secure_Hash_Algorithm}

^{[5] https://blog.mozilla.org/security/2014/09/23/phasing-out-certificates-with-sha-1-based-signature-algorithms/}

^{[6] https://en.wikipedia.org/wiki/Forward_secrecy#Perfect_forward_secrecy}

^{[7] https://en.wikipedia.org/wiki/RC4}

^{[8] https://en.wikipedia.org/wiki/Triple_DES}

^{[9] https://www.mozilla.org/en-US/firefox/all}

^{[10] http://windows.microsoft.com/en-us/windows/end-support-help}