To align with the best practices and with our rigorous focus on keeping our customers' data safe and secure, we are planning to roll out a number of security changes to the FORM.com / Key Survey platform. We have made every effort to ensure that the changes are implemented seamlessly. However, some of the security changes may impact the users using older operating systems and browsers, API integrations and customization that our customers may have created inside their forms and surveys. We encourage our customers to read the information below carefully. And please do not hesitate to reach out to support if you have any questions.
Automatically encrypting all data in transit
Starting May 11, 2021 we will be automatically encrypting all web traffic coming to app.form.com and app.keysurvey.com and private label domains hosted on the Form.com / Key Survey platforms. This will ensure that the data sent from the users, whether it is being sent from the browser, the mobile app or the API cannot be intercepted or read as it is being sent across the internet.
Any request made to http://app.form.com, http://app.keysurvey.com and the private label domains hosted on the Form.com / Key Survey platform over unencrypted HTTP connection will be automatically redirected to encrypted HTTPS connection. Whenever the request is made to http://... link, the server will respond with a HTTP status code 302, instructing the client (browser or an API client to redirect to https://...) This redirect will apply to admin pages of the applications, form and survey URLs, report URLs, dashboard URLs, API endpoints, etc. For older forms, surveys and reports that were launched with Non-Secure URL type, the URL Type will be automatically changed to 'Secure', which means that any launch emails, reminders, email alerts sent after May 11 release will contain 'https' links instead of 'http'.
Non-secure content in forms, surveys and reports
If you have an integration that is connecting to the Form.com / Key Survey using the SOAP API note that some of the API implementations will not automatically follow the redirect response from the server (HTTP Code 302), which means that the API connections using the 'HTTP' protocol instead of 'HTTPS' can stop working. Most of the modern API libraries will follow the redirects automatically, but older versions of JAX-WS and Axis2 for Java and the Microsoft .NET implementations of the web service clients may not follow the redirects. In order to make sure the error does not occur in your API implementation, please review and make sure the API is pointing to the WSDL endpoints using the secure HTTPS link. For example: https://app.form.com/Member/api/v81/form/result/FormResultManagementService?wsdl, with the 'https' protocol specified instead of 'http'.
Disabling weak ciphers for encryption in transit
In order to ensure that the connections to our servers are safe and secure, we will be disabling support for some of the weaker ciphers and encryption protocols that are known to be vulnerable to various types of security attacks.
The web server will only allow connections that TLS 1.2 or higher for https encrypted connections. Connections that are using lower versions of TLS (such as SSL 3.0, TLS 1.0, TLS 1.1) will not be accepted.
Some of the older operating systems and browsers do not support TLS 1.2 and higher. This means that the clients using these operating systems and browsers will no longer be able to connect to Form.com and Key Survey. Here's list of operating systems, browsers and libraries that will be no longer supported after the May 11, 2021 release.
- Internet Explorer version 10 and lower on all versions of Windows
- Windows Vista, Windows XP and lower
- Android 4.4.4 and lower
- Mac OS X 10.8 and lower
- Microsoft .NET 4.5.x and lower
- OpenSSL 1.0.0 and lower
Please review the devices that you or your customers use to connect to Form.com or Key Survey. Let us know if you have a concern.