Security Roadmap

Disabling TLS 1.0, TLS 1.1
Monday 18 June 2018 21:00 UTC

For the latest schedule see this notice on our Status page.

HTTPS protocols TLS 1.0 and TLS 1.1 will be disabled, only allowing TLS 1.2 and above for all HTTPS connections to Windcave services.

The deprecation of these cryptographic protocols are due to past found security vulnerabilities and for Windcave to adhere to the Payment Card Industry Security Standards Council rule to no longer support these early TLS cryptographic protocols.

We hope that this change will not cause an inconvenience although at Windcave we take security seriously and these planned changes will not only benefit the internet security of Windcave but also our clients.

If you have any queries about this change please contact us.

To assist merchants with testing and preparation, we have applied this change to our UAT test environment ( since 29 August 2017. To test in this environment please contact our support team for test accounts if required, and use endpoints in place of

Recently completed updates.

SSL Certificate Replacement
8pm Sunday the 23rd of July 2017 UTC

We will be replacing our trusted Public certificate used to secure the API endpoints located at from one trusted certificate provider (Symantec) to another (Digicert) at 8pm Sunday the 23rd of July 2017 UTC

Use the following API that is already using Digicerts certificate chain to test for any potential compatibility issues

Digicert is a prominent globally trusted certificate authority meaning you should not need to make any changes to continue accessing APIs although you should ensure that your environment trusts Digicerts root and subordinate certificate authority to avoid any complications.

If your application needs to explicitly trust the certificates use the following download links.

If you have any queries about this change please contact us

Deprecation of Triple DES (3DES) cipher
8pm Tuesday the 22nd of August 2017 UTC

We will be deprecating the support of the 3DES cipher for encrypting data using a HTTPS connection for all front-end web servers at Windcave at 8pm Tuesday the 22nd of August 2017 UTC.

Referred to as “Sweet32” this “birthday attack” can recover secure http cookies during a long established encrypted 3DES session. These secure cookies once obtained could hold sensitive information such as your personal passwords, credit card information that can be used for fraudulent means.

The impact of this change should be minimal as it currently only affects 1% of all traffic to our web front end servers although please make sure that your systems are not reliant on this cipher for encrypting traffic.

Select the following API for testing 3DES deprecation.

If you have any queries about this change please contact us