We received requests from several customers to extend TLS 1.0 support to provide more time to update their systems. The dates of July 20th 2020 and September 7th 2020, originally published in this article, has been moved to September 15th, 2020.
TLS (formerly named “SSL”) is the cryptographic protocol used to secure web communications (HTTPS). There have been many SSL/TLS versions over the years, each with its own security improvements:
- SSL 2.0, released in 1995 and deprecated in 2011
- SSL 3.0, released in 1996 and deprecated in 2015
- TLS 1.0, released in 1999 and deprecated in 2020
- TLS 1.1, released in 2006 and deprecated in 2020
- TLS 1.2, released in 2008 and the current most-widely-implemented version
- TLS 1.3, released in 2018 and now being implemented by browsers
In accordance with industry best practices, we will be disabling support for TLS version 1.0 in SCORM Cloud on Monday, July 20th 2020. With this, we’ll also be disabling support for clients that don’t support Server Name Indication, as we previously announced four years ago but did not change because of client concerns.
Rustici Software values backwards compatibility for its products and services very highly, and SCORM Cloud is no exception, especially being so widely-used. However, given that all currently-maintained browser versions support TLS 1.2, as do most application libraries, we feel the time is right to move the security and performance of our systems forward.
Note: If you are an affected customer, your account owners & administrators will be receiving an email from our team.
On Monday, July 20th 2020, if your system or your learners try to connect to SCORM Cloud using SSL 3.0, TLS 1.0, or without Server Name Indication, the connection will fail to establish. For programmatic connections, these may cause exceptions to be thrown; for learners, the browser will display a generic connection error message. Note that learners may originate from your system or via Dispatch.
In other words, to prevent a service interruption, you must ensure both your systems and learners are using TLS 1.1 or newer with Server Name Indication before Monday, July 20th 2020. Notably, the default behavior of all currently-supported browsers and application runtimes.
We highly recommend enabling at least TLS 1.2. On Monday, September 7th 2020, we will also disable TLS 1.1 in accordance with industry best practices.
According to Qualys, as many as 40% of the world’s top websites have already disabled TLS 1.0. So, in practice we expect very little impact to end-users/learners in particular. Furthermore, by mid-2020, all major browser vendors have agreed to disable TLS 1.0 and 1.1 by default.
We recommend using the badssl.com site to test your system’s tolerance for TLS 1.2 using this endpoint. As above, we highly recommend ensuring your system can use TLS 1.2, as it’s the most secure version of TLS currently available for broad use, and we will likely disable TLS 1.1 in the latter half of 2020. (Most systems that support TLS 1.1 also support 1.2.)
If your system can’t be upgraded in a timely manner for some reason, please contact us at firstname.lastname@example.org and we’ll do our best to work with you. As the Server Name Indication (SNI) announcement goes to show, we’re willing to go great lengths for our customers.
As above, if you are an affected customer, your account owners & administrators will be receiving an email from our team based on recent log analysis.