Your browser is no longer supported! Please upgrade your web browser now.

SSL Changes and Your Harvest Account

tabs

I don’t know about you, but I don’t spend much time thinking about that little green lock icon in my browser’s address bar. To me, it means my browser trusts the website I’m on and I can live without fearing that some internet baddie is going to steal my data. I leave it to much smarter people than myself to determine what defines that trustworthiness.

That little green lock means the site you are on is using SSL and that all data is encrypted before transfer. Encrypted data can only be read by someone with a specific key and, in the case of a website, this key is stored in something called an SSL Certificate. These certificates are the way browsers verify that the person you’re sending your data to is exactly who you expect it to be.

It might surprise you to learn that the encryption algorithm (called SHA-1) used to write many SSL certificates is no longer considered safe. SHA-1 has long been the encryption standard for SSL certificates, but the steady advances in computer power mean that it is no longer up to the challenge of keeping attackers at bay. Fortunately, a new standard (called SHA-2) is already available and compatible with all modern web browsers and operating systems.

Changes Coming to Harvest

In the coming weeks, Harvest is going to significantly improve our security by upgrading our SSL Certificate to use SHA-2. For most customers, this change will be completely transparent. That is, when Harvest switches certificates, you won’t even notice that it’s happened.

For a very small percentage of our customers, this change is going to render Harvest totally inaccessible. Unfortunately, it’s not possible to make this change in a way that works with very old software. For those customers, the only way to continue using Harvest will be to upgrade their browser or operating system.

What You Need to Do

Testing your browser for SHA-2 compatibility
If this message fails to change after a few seconds, this post may affect you.
If you’re using an RSS reader or reading this in email, try viewing it on the web.

If the box above is green, you’re using a modern web browser and don’t need to make any changes.

If the box above is gray or red, you’ll need to upgrade your software. If you need help, just contact our Harvest Experts and they’ll get you upgrade advice based on your platform.

We know that there are many customers whose companies require them to use specific software, and we always take this into consideration when deprecating support for certain browsers. In this case, we believe that the security of your account takes priority, and are making changes to ensure that Harvest continues to provide the safest experience. Let us know if you have any questions!

Thoughts or questions about this post? Need some help?
Get in touch →

This was posted in Product News.
  • Good news.

    BTW, “These certificates are the way browsers verify that the person you’re sending your data to is exactly who you expect it to be.”

    Actually, not quite.

    The certs are used to encrypt data passed between the parties. This means an entity “tapping” into the transmission has access to encrypted data, which is a good thing.

    But certifying that the party at the other from you is actually who and what they claim to be is another facet of security; certs don’t cover that.

  • @KevinM you’re right. We simply meant that the verification process from the SSL certificate issuer verifies that the person requesting the SSL certificate has control of the domain(s) for which the SSL certificate is being issued. Getting into the nuance of how SSL certs play their role in identifying websites in such a short post is tricky, though. We wrote this post with a non-expert reader in mind with the hopes that they’d have a basic understanding of why this change was important.

    Thanks for keeping us honest. :)

  • Please upgrade certificates as soon as possible.

    My client site recently upgraded browsers and at the moment I’m unable to access my company’s harvest timesheet system:


    The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert)

    Thanks

  • @David it sounds like you might have been downgraded to an older browser with out-of-date SSL support. Harvest’s pending certificate upgrade won’t help that problem. Can you contact me at support@harvestapp.com so we can get to the bottom of why you’re seeing that message?

  • @KevinM SSL certificates can cover the identity check of the website owner. But Harvest is making a mistake and only use a domain validated SSL certificate. It would be better to get a EV version in which the company name will appear in the browser. However that is due to high security level of the SSL not possible for the wildcard solution.

    There is a OV (organization validated) SSL which is also possible with a wildcard domain. The company (Chamber of Commerce) + domain + the requester of the SSL will be validated. So you know that the data is really send to the website owner which is claiming to be the owner.

    It is a big mistake and Harvest should change their security policy in getting this higher great of SSL security. SSL is not only for encrypting but also validating and trust.

    @Patrick, so lets get working.

  • @Mike As you mentioned, EV certs are not possible with wildcard solution and this is a deal breaker for Harvest. Every Harvest account is accessed via a URL that begins with your company name (e.g. sterlingcooper.harvestapp.com) so it simply isn’t possible to make this work today. Perhaps a future offering will make this change possible. Until then, it’s something we keep an eye on. Thanks!

Comments have been closed for this post.
Still have questions? Contact our support team →