Company House API still supports TLS1.0

Hi, I’ve been developing an app using the Companies House API but a recent security review identified that the server ‘https://api.companieshouse.gov.uk/’ still supports TLS 1.0 and because of this I am being preventing from rolling out my app to other users.

According to the security report:
Due to historic export restrictions of high grade cryptography, legacy and new web servers are often able and configured to handle weak cryptographic options. Even if high grade ciphers are normally used and installed, some server misconfiguration could be used to force the use of a weaker cipher to gain access to the supposed secure communication channel. Ciphers such as SSLv2/SSLv3/TLSv1.0 should not be supported by the server, or Ciphers that utilize a NULL cipher or have weak key lengths. TLS 1.0 has been declared end of life by most systems, and should no longer be used. More info at https://www.owasp.org/index.php/Testing_for_SSL-TLS_(OWASP-CM-001)

Are their any moves within Companies House to stop supporting this cypher for the API?

Thanks, David

Thanks for raising the question, we are always looking at the security of our systems and are currently analysing traffic and ciphers used to determine the impact of removing support for TLSv1.0.
Once the analysis has been completed we will let you know the outcome and the decisions we have reached.

Thanks Mark, this is good to hear. Any update on how that analysis is progressing?

Regards, David

Mark, any updates on this? It’s been almost 2 months since I raised this.

Thanks, David

WIth the new year, has your analysis finished and are you able to conclude anything?

Thanks, David

@MArkWilliams, @mfairhurst Hi, is it possible to get a response to this post please?

Thanks, David

Apologies for the length of time it has taken us to get back to you.
We analysed our customers access and found a number still using TLSv1.0.
Those customers were contacted and given notice that support for TLSv1.0 will be withdrawn.
We still have some ‘negotiations’ to complete before we confirm the actual date.
thank you for your patience.

Mark, thank you very much for this update. I look forward to hearing more from you once any negotiations have completed.

Regards, David

Hi Mark, how are the ‘negotiations’ coming along? I can’t get my get my work published unless there is an actual date when this will happen, so I would be really grateful if you could share that.

Thanks, David

HI, is there anyone at Companies House who can comment on this? It’e been a long time.

It has been a long time.
Unfortunately we still have customers who are struggling to get their systems updated, so that we can remove support for 1.0.
We will contact you directly when we have a confirmed date.
There will also be an information message posted on this forum regarding the depreciation of 1.0.
Thank you for you continued patience.

Just to keep you informed on progress…
We intend to ‘retire’ TLSv1.0 on api.companieshouse.gov.uk late next week, Thursday or Friday.
I will let you know the exact date early next week, when I get all the paperwork done.

This has been arranged for Thursday between 10am and 2pm.

1 Like