Important Updates about TLS v1.0/v1.1, Unencrypted HTTP Requests, and the Legacy minFraud SOAP API

In the coming months, we will be retiring the following:

  1. TLS v1.0 and 1.1 support across MaxMind products and services (October 16, 2019);
  2. Unencrypted HTTP requests to our legacy minFraud services (October 16, 2019); and
  3. The legacy minFraud service SOAP API (January 31, 2020).

Read on below for more information. MaxMind is deeply committed to information security and protecting customer data, and taking these steps will allow us to ensure your data is as safe and secure as possible. If you have any questions, please do not hesitate to contact us.

***PLANNED INTERRUPTION***
On September 25, 2019 we will interrupt requests (as a warning) for up to 8 hours from 14:00-22:00 UTC (10:00am-6:00pm US Eastern time). During the interruption, requests using TLS v1.0 and v1.1 and unencrypted requests to legacy minFraud endpoints will fail with an error.


TLS v1.0 and v1.1

Transport Layer Security (TLS) is a cryptographic protocol for securing communications between systems. Older versions of TLS (1.0 and 1.1) have many serious vulnerabilities and expose communications to the possibility of data breach. Retirement of older TLS is a coordinated effort across many industries.

What does this mean for me?

If you are using TLS v1.0 or 1.1 to connect to MaxMind services (including GeoIP database downloads) as of April 1, 2019, we will email you during the week of April 15, 2019 to inform you and provide you with more information. If you are not sure how to proceed, please forward this information to the individual(s) responsible for your MaxMind integration. Depending on your technology stack, you may need to upgrade some part of your stack to a later version, or you may need to make code changes. The retirement date for TLS v1.0/v1.1 is October 16, 2019.

Hostnames for testing

We have made test hostnames available for you to point your integration to in order to test TLS v1.2 or greater connections. For GeoIP endpoints, the hostname geoip.maxmind-test.com can be used, and for minFraud endpoints minfraud.maxmind-test.com can be used. Both hostnames require TLS v1.2 or greater for HTTPS connections. Unencrypted HTTP connections to legacy minFraud endpoints on minfraud.maxmind-test.com will return a 403 (Forbidden) HTTP status code. You can use your MaxMind credentials to connect and you will receive real responses. Requests will be charged the same as you pay on our production infrastructure. Following the TLS v1.0/v1.1 retirement these test hostnames will no longer be available.

Planned warning interruption

On September 25, 2019 we will interrupt requests (as a warning) for up to 8 hours from 14:00-22:00 UTC (10:00am-6:00pm US Eastern time). During the interruption, requests using TLS v1.0 and v1.1 and unencrypted requests to legacy minFraud endpoints will fail with an error.

If you have any questions at all, please do not hesitate to contact us.


HTTP Requests to Legacy minFraud Services

HTTP requests are unencrypted and because requests to our legacy minFraud services may contain sensitive data, we will no longer support these types of requests. Our newer minFraud services already require HTTPS requests.

What does this mean for me?

If you are sending us HTTP requests to our legacy minFraud service, we will email you during the week of April 15, 2019 to inform you and provide you with more information. You will need to update your integration to use HTTPS with TLS v1.2 or greater. If you are not sure how to proceed, please forward this information to the individual(s) responsible for your MaxMind integration. The retirement date for HTTP requests to legacy minFraud services is October 16, 2019.

Affected URLs

Below is a list of affected (legacy minFraud service) URLs:

*.maxmind.com/app/ccv2r
*.maxmind.com/app/minfraud_soap
*.maxmind.com/app/fast_proxy
*.maxmind.com/app/bin_http
*.maxmind.com/app/ipauth_http

We also highly recommend that our GeoIP customers use HTTPS instead of HTTP.

Planned warning interruption

On September 25, 2019 we will interrupt requests (as a warning) for up to 8 hours from 14:00-22:00 UTC (10:00am-6:00pm US Eastern time). During the interruption, requests using TLS v1.0 and v1.1 and unencrypted requests to legacy minFraud endpoints will fail with an error.

If you have any questions at all, please do not hesitate to contact us.


Legacy minFraud SOAP API

In order to provide you with a better overall service experience, we are focusing our development efforts on our newer more modern APIs. As part of this effort, we are discontinuing the SOAP API for our legacy minFraud service. Other client APIs for legacy minFraud services will continue to be supported.

What does this mean for me?

If you are using our SOAP API to connect to our minFraud service, we will email you during the week of April 15, 2019 to inform you and provide you with more information.

To move off the SOAP API, you will need to change your integration to either:

If you are not sure how to proceed, please forward this information to the individual(s) responsible for your MaxMind integration. The retirement date for the legacy minFraud SOAP API is January 31, 2020.

Timing with older TLS retirement

Please note that the retirement dates for TLS v1.0/v1.1 and HTTP requests to legacy minFraud services are earlier than the retirement date for the SOAP API. As a result, we recommend moving off the legacy minFraud SOAP API and upgrading to TLS v1.2 or higher at the same time (and prior to October 16, 2019).

If you need to continue using SOAP after October 16, 2019 until January 31, 2020, you will need to either (1) upgrade to version 15, available at https://www.maxmind.com/wsdl/minfraud-soap-15.wsdl; or (2) override the URL used by your current WSDL file to force it to use HTTPS.

If you have any questions at all, please do not hesitate to contact us.


Timeline

Week of April 15, 2019We will inform affected accounts (as of April 1, 2019) via email
Week of July 29, 2019Planned interruption of TLS v1.0 and 1.1 connections & minFraud HTTP requests
August 28, 20192nd planned interruption of TLS v1.0 and 1.1 connections & minFraud HTTP requests
September 25, 20193rd planned interruption of TLS v1.0 and 1.1 connections & minFraud HTTP requests
October 16, 2019TLS v1.0 and v1.1, and minFraud HTTP requests no longer supported
January 31, 2020Legacy minFraud SOAP API discontinued

If you have any questions, please do not hesitate to contact us.