Updated: June 14, 2018 (changes to the previously published schedule)
Maintaining security and trust with our customers is paramount to us. As such, Twilio has two notable security changes coming up for our REST API:
- August 15, 2018: Updating our certificate with our new root authority
- June 2019: Disabling support for TLS 1.0 & 1.1 and weak cipher suites
Updating our root authority, August 15, 2018
Twilio has used Thawte, recently acquired by Digicert from Symantec, to sign our TLS/SSL certificates. As a result of this acquisition, Thawte has retired their Certificate Authority certificates and intermediates. Many members of the CA/Browser Forum including Google, Microsoft, and Mozilla will be ceasing trust for certificates signed by the legacy Thawte authority. To remain available and trusted, the Twilio API will be using a new certificate signed by the root authority DigiCert.
The vast majority of customers already support this new root certificate, but you may test your integration with this new certificate until August 15, 2018, by following this procedure: Monitoring Updates to Twilio REST API SSL Certificates.
Disabling TLSv1.0, TLSv1.1 and weak ciphers, June 2019
In order to give ample time to execute the TLS upgrade, we are providing a full year for customers to prepare for the change.
Here are the details of what is being changed:
- Disabling support for TLS 1.0 and 1.1
We will disable TLS 1.0 and 1.1 support from the API. Security best practices strongly advise against the use of TLS 1.0 and 1.1 for secure communications on the web. As a consequence, the Twilio API will no longer support SSL or early TLS before version 1.2.
- Disabling weak cipher suites
To maintain the highest security standard, Twilio's API will disable weak encryption cipher suites from encrypting API requests to Twilio. Current security standards classify some of the cipher suites available for TLS 1.2 as weak. Although there has not been a breach or exploit, the security industry does not recommend their use for encrypting communications on the web.
You may begin testing TLS and cipher changes after August 15, 2018. We will then ensure port 8443 is updated with exclusive support for TLS 1.2 and strong cipher suites, in addition to the new DigiCert root certificate. (If you already tested successfully between May 9, 2018 and June 14, 2018, you do not need to retest.)
We strongly encourage you to test your integration with Twilio using that port to avoid any unexpected problems.
More information about testing your integration with Twilio on port 8443 can be found here: Monitoring Updates to Twilio REST API SSL Certificates.
If you have additional questions about these changes, please review our FAQ.