Page tree
Skip to end of metadata
Go to start of metadata

To align with the best practices and with our rigorous focus on keeping our customers' data safe and secure, we are planning to roll out a number of security changes to the FORM.com / Key Survey platform. We have made every effort to ensure that the changes are implemented seamlessly. However, some of the security changes may impact the users using older operating systems and browsers, API integrations and customization that our customers may have created inside their forms and surveys. We encourage our customers to read the information below carefully. And please do not hesitate to reach out to support if you have any questions. 

Automatically encrypting all data in transit

Starting May 11, 2021 we will be automatically encrypting all web traffic coming to app.form.com and app.keysurvey.com and private label domains hosted on the Form.com / Key Survey platforms. This will ensure that the data sent from the users, whether it is being sent from the browser, the mobile app or the API cannot be intercepted or read as it is being sent across the internet. 

Implementation details

Any request made to http://app.form.com, http://app.keysurvey.com and the private label domains hosted on the Form.com / Key Survey platform over unencrypted HTTP connection will be automatically redirected to encrypted HTTPS connection. Whenever the request is made to http://... link, the server will respond with a HTTP status code 302, instructing the client (browser or an API client to redirect to https://...) This redirect will apply to admin pages of the applications, form and survey URLs, report URLs, dashboard URLs, API endpoints, etc. For older forms, surveys and reports that were launched with Non-Secure URL type, the URL Type will be automatically changed to 'Secure', which means that any launch emails, reminders, email alerts sent after May 11 release will contain 'https' links instead of 'http'.

 

Possible impact

Non-secure content in forms, surveys and reports

Users accessing any links using their web browsers or mobile apps will not notice the change, as the browser will automatically redirect such users to the secure https connection. However, if your form, survey or report included content (such as an image, CSS of JavaScript file) from a non-secure web-site (via http:// link), this content will not be loaded when the survey, form or report are opened. The browser will show a warning, informing the users that the page they are opening has non-secure content in it. Although the end users may allow the browser to load the non-secure content, we recommend including secure links to images, CSS files and JavaScript files hosted externally. 

API connections

If you have an integration that is connecting to the Form.com / Key Survey using the SOAP API note that some of the API implementations will not automatically follow the redirect response from the server (HTTP Code 302), which means that the API connections using the 'HTTP' protocol instead of 'HTTPS' can stop working. Most of the modern API libraries will follow the redirects automatically, but older versions of JAX-WS and Axis2 for Java and the Microsoft .NET implementations of the web service clients may not follow the redirects. In order to make sure the error does not occur in your API implementation, please review and make sure the API is pointing to the WSDL endpoints using the secure HTTPS link. For example: https://app.form.com/Member/api/v81/form/result/FormResultManagementService?wsdl, with the 'https' protocol specified instead of 'http'. 

Disabling weak ciphers for encryption in transit

In order to ensure that the connections to our servers are safe and secure, we will be disabling support for some of the weaker ciphers and encryption protocols that are known to be vulnerable to various types of security attacks. 

Implementation details

The web server will only allow connections that TLS 1.2 or higher for https encrypted connections. Connections that are using lower versions of TLS (such as SSL 3.0, TLS 1.0, TLS 1.1) will not be accepted. 

Possible impact

Some of the older operating systems and browsers do not support TLS 1.2 and higher. This means that the clients using these operating systems and browsers will no longer be able to connect to Form.com and Key Survey. Here's list of operating systems, browsers and libraries that will be no longer supported after the May 11, 2021 release.

  • Internet Explorer version 10 and lower on all versions of Windows
  • Windows Vista, Windows XP and lower
  • Android 4.4.4 and lower
  • Mac OS X 10.8 and lower
  • Microsoft .NET 4.5.x and lower
  • OpenSSL 1.0.0 and lower

Please review the devices that you or your customers use to connect to Form.com or Key Survey. Let us know if you have a concern.