To remain PCI DSS compliant after June 30, 2018, all inbound and outbound DocuSign requests are required to deprecate TLS v1.0 connections along with legacy ciphers as noted in our original end of support notice.

DocuSign Connect listeners that work only with TLS v1.0 will no longer function after DocuSign’s TLSv1.0 deprecation scheduled for June 25, 2018, in our production environment and May 29, 2018, in our demo environment.

For customers using DocuSign Connect listeners, integration owners should ensure that those listeners can work with TLSv1.1 or higher to avoid any service interruptions after TLSv1.0 support ends.

For more information about DocuSign Connect, please visit the DocuSign Connect Guide here.

To ensure smooth DocuSign support deprecation for TLSv1.0, we have changed the effective date for this change. DocuSign will end TLSv1.0 support effective June 25, 2018. Please refer to the original end of support notice for further details.

Visit DocuSign’s System Requirements page for information about browsers supported by DocuSign. These browsers will continue to work after the change.

Following industry best practices, DocuSign will end TLSv1.0 support effective June 30, 2018 June 25, 2018. This date aligns with the deadline the PCI Security Standards Council has set for companies that wish to remain PCI Data Security Standard (PCI DSS) compliant.  Other leading SaaS vendors, including Salesforce, Box, and PayPal, plan to end support for TLSv1.0 in June.

More information is available here: https://blog.pcisecuritystandards.org/are-you-ready-for-30-june-2018-sayin-goodbye-to-ssl-early-tls

In addition to retiring the insecure TLSv1.0 protocol, we will also remove a set of cipher suites which are no longer considered secure. This includes ciphers such as 3DES along with a few others that have an insufficient key length to securely encrypt communications.

The ciphers to be retired include the following:

· TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

· TLS_RSA_WITH_3DES_EDE_CBC_SHA 

· TLS_RSA_WITH_AES_256_GCM_SHA384

· TLS_RSA_WITH_AES_256_CBC_SHA256

· TLS_RSA_WITH_AES_256_CBC_SHA 

· TLS_RSA_WITH_AES_128_GCM_SHA256

· TLS_RSA_WITH_AES_128_CBC_SHA256 

· TLS_RSA_WITH_AES_128_CBC_SHA 

TLSv1.0 and these cipher suites are utilized by a small set of customers to support legacy integrations. These integrations will need to be updated to support secure, modern ciphers and is often as easy as recompiling the solution with updated libraries. The PCI Security Standards Council has published detailed guidance for migration from SSL/early TLS. It is available here: www.pcisecuritystandards.org/documents/Migrating-from-SSL-Early-TLS-Info-Supp-v1_1.pdf

All internet browsers currently supported by DocuSign already default to newer versions of TLS, so this change will go unnoticed by web and mobile users. Please contact DocuSign support with additional questions.

On February 27th, CERT released details about a SAML vulnerability affecting some libraries which may allow an attacker to perform an authentication bypass. More details are available here: https://www.kb.cert.org/vuls/id/475445

Our security and identity teams immediately investigated this issue in our applications and have confirmed that none of our SAML implementations are vulnerable to this attack.

DocuSign has observed a new phishing campaign that began the morning of January 31, 2017 (Pacific Time).

The email purports to come from "Docusign Inc." using the email address [email protected] with the subject “Your document Receipt <numbers> for <name> is ready for signature!”. The email contains a link to a malicious Word document. This email is not sent from DocuSign. Do not click the link in this email, instead please forward it to [email protected] and then delete the email immediately. 

For more information on how to spot phishing please see our Combating Phishing white paper (3.3 MB).