TLS 1.0 and TLS 1.1 cryptographic standards removal notice

Amplitude_Admin

Amplitude application interfaces (API) to enforce a minimum of TLS 1.2 beginning Nov 28, 2022.

Security and privacy are of paramount priority here at Amplitude and we are constantly evolving our security processes based on industry best practices. Part of that evolution is the enforcement of strong cryptographic standards in our environment. The use of at least TLS 1.2 is a recommended security best practice for improved privacy and data integrity and to maintain compliance with the latest industry standards. Last year, Amplitude removed support for TLS 1.0 and TLS 1.1 on Amplitude’s web application https://analytics.amplitude.com. We continued API support for TLS versions 1.0 and 1.1 until now to maintain backward compatibility for customers that have older or difficult to update clients. However, given industry adoption of the TLS 1.2 and negligible traffic received using these older versions,Amplitude has made the decision to employ these higher standards across our environment and deprecate support for TLS 1.0 and TLS 1.1 across all its application interfaces (API) beginning Nov 28, 2022.

 

Impact of the change

The purpose of this announcement is to minimize any potential operational disruptions to our customers with our  deprecation of support for TLS 1.0 and TLS 1.1. The vast majority of traffic will be unaffected by the deprecation of support for TLS 1.0 and 1.1; more than 99.97% of Amplitude API traffic is already on TLS 1.2. 

Traffic from Android versions 4.4 or older are the main contributors to the negligible TLS 1.1 or TLS 1.0 traffic on Amplitude’s API. Android versions older than 4.4 do not support TLS 1.1 or 1.0 and therefore, with this change, will no longer be supported by Amplitude. Google officially stopped supporting Android 4.4 in October 2017 and no longer provides updates for this version of the operating system, including critical security fixes. 

If you have any questions about this change, please reach out to the Security team by emailing security@amplitude.com.

 

Frequently asked questions

1. How do I know if i’m impacted?

   •  If you have configured support for TLS 1.1 and TLS 1.0 on your application, you may be impacted by this change. This portal provides an overview of all the client applications which currently do and do not support TLS versions 1.1 and below.

2. What is the expected impact?

   •  If your applications currently support these versions, you will not receive analytics information from customers who engage with those applications using the older versions of TLS.

3. If I am impacted, how can I solve this so it doesn’t impact me?

   • If your application currently supports these versions of TLS, Amplitude recommends that you deprecate support for the same. Please reach out to security@amplitude.com if you have additional questions or concerns. Our security team will work with you to find the right solution.