Forums

Good morning.

I'm considering buying a package and move away from being a free user, since there's a big project that I want to run online.

The main requirements I have is it must support TLS 1.2 and send/receive a JSON. I'm not sure how easy it is to get TLS up and running (the main reason I'm not doing it local is I'm finding it difficult to get certificates on a windows machine and I'm not keep on port forwarding).

Everything I've read mentions SSL so I'm assuming it is interchangeable. I just wanted to check here before I make any decisions.

Thank you.

Yes- SSL usually refers to the SSL certificates in general, and TLS 1.2 is one particular protocol version used by SSL certificates (although there's also specific protocols like SSLv2 and SSLv3). There's both paying options (eg: get it from comodo) and free options (eg: letsencrypt)

You wouldn't have to do any port forwarding on PythonAnywhere- we would take care of all deployment issues like that for you after you setup your webapp.

I would also suggest testing out your project on a free pythonanywhere webapp to make sure you can do the TLS 1.2 and json send/receive before you upgrade. (it is all supported on our end, but just in case you don't know how to code it etc)

Thank you!

I had assumed that I needed a paid account for TLS support, so I'll first do testing on a free account. The load quantity definitely means I want to try get a paid account.

So for a free account, we actually support all the encryption stuff for you, because we own the username.pythonanywhere.com domain. So https works out of the box without you needing to do anything. However, for a custom domain, it's a bit trickier for us to get a cert for you, so at the moment there are some steps you need to go through to get your own cert and apply it to your own webapp etc.

Speaking of TLS, it appears my PA site with LetsEncrypt supports TLS 1.0 and 1.1, which are insecure. Is there anything I can do on my end about this?

Just to clarify, is the problem that it supports those non-secure TLS versions in addition to the more recent secure versions? Or is it showing up as only supporting those old non-secure versions?

That it supports those non-secure TLS versions. It also supports 1.2 and 1.3. Microsoft and others have recommended removing support for 1.0 and 1.1 entirely. I'm not very familiar with TLS or how big a security issue this is. I ran my site through this service to see its TLS support.

Thanks! That's something we'd have to change on our side -- we'll look into it, but we'd have to think hard about it. The reason is that it's a site-wide change, and so if we did it, TLS 1.0 and 1.1 would stop working for every website that we host, and of course there could be someone using our service to host a site for which those TLS versions are important (say, something that's handling requests from IOT devices or some other kind of hardware that only supports older versions of TLS). I think we'll need to instrument the system to work out whether we are handling any connections using those versions first.

Makes sense, thanks!

Hi, is there an update on this?

We're currently running an analysis of which sites have clients that use 1.0 and 1.1, and the early indications are that there are quite a lot of them. This makes us reluctant to just switch those versions off right now; as you might have read, the big browser makers have delayed their own sunsetting of the old protocols due to the Coronavirus pandemic -- essentially, they feel that right now is a really bad time to be forcing sites offline for some users, and likewise we don't think it would be a good thing to do on our side.

What we'll probably do is email the people who have sites that still have users who are using the old protocols to give them early warning, but not take action until after the lockdown is over and people have had time to work out a plan of action.

Excuse my ignorance, but how to I check, and upgrade if I am one of the older versions?

You don't need to do anything to upgrade -- all sites that we host support TLS versions 1.0, 1.1, and 1.2. When a browser connects to your site, it says which versions it supports, and the server will say which ones it supports, and the two will then use the most recent one that they can both handle. In general, that will mean that they'll choose 1.2, because all modern browsers -- ones released since around 2013 -- can handle that version. About 99% of the traffic to sites that we host use 1.2.

The problem that people are talking about here is that we support 1.0 and 1.1, even though they are not used for the vast majority of connections. We allow browsers to use those older versions to support people whose sites are visited by those 1% of users who are using really old browsers that don't support 1.2.

The problem with supporting older TLS versions it that a hacker who somehow got themself onto the network in between a browser and a server could potentially tinker with the network connection and trick a browser and a server that both support TLS 1.2 into thinking that they actually have to use 1.0 or 1.1; there are security flaws in those older protocol versions that could potentially allow stuff to be decrypted.

The problem with not supporting the older versions is that the small number of people with older browsers -- old smartphones, mostly -- cannot access sites that we host if we don't support 1.0 and 1.1. Right now, during the pandemic, we think that we should not block them, but once things have calmed down a bit, it might make sense to change that.

Thanks for the detailed explanation!

No problem!

I guess we will be warned in one way or another when the upgrade to TLS 1.2 support will be made? I mean, outside the forum, that is?

We already support TLS 1.2. Though we would provide some warning if we are going to disable the deprecated versions - probably on our blog.

Hello, is there any update on this? I can still see that Let's encrypt certificate provided supports the TLS 1.0 and TLS 1.1 versions.

TLS 1.0 and TLS 1.1 is now supported only for legacy web apps that need to have it enabled explicitly. See https://help.pythonanywhere.com/pages/TLSVersionSupport