Dropping old TLS versions for your own safety

In 30 days (March 22nd) we’ll update our front servers that redirect all the internet traffic to your apps hosted on Scalingo to drop old and insecure versions of TLS.

What will change?

The “S” in HTTPS stands for “Secure”. This added security layer is implemented with the help of the TLS protocol (formerly known as SSL - Secure Socket Layer).

Today, HTTPS connections on Scalingo can use TLS 1.0, 1.1, or 1.2, and it’s up to the browser to determine which is the most recent version it can support. Currently every major browser supports TLS 1.2. Hence, in practice, almost all connections already use 1.2.

As of March 22nd, Scalingo won’t accept anymore connections using Transport Layer Security (TLS) versions older than 1.2. Furthermore we’ll add support for TLS 1.3.

Additionally to the removal of TLS 1.0 and 1.1, the set of cryptographic ciphers which will be accepted will be restricted only to the safest algorithms: no SHA1 or no 3DES (Sweet32 Vulnerability). More details about the supported protocols and algorithms can be found on SSL Labs for htttps://sample-tls13.scalingo.com

Why do we plan this change?

As Marie Kondo would put it, the objective of cleaning is not just to clean, but to feel happiness living within that environment. And at Scalingo we don’t feel happy when your security is at risk.

Indeed, there have been numerous reports of severe vulnerabilities in early TLS versions that could put organizations and users at risk, like POODLE and BEAST attacks. That’s why security audits now require that websites should be accessed with TLS version 1.2 at least.

Given how the majority of browsers support TLS 1.2, we determined it is safest for our users to require TLS 1.2 to access Scalingo hosted applications. We’re also adding support for the newer TLS 1.3 which, although not as widely deployed, offers even tighter security.

How will you be affected?

For the vast majority of users nothing will change at all.

It’s possible that some custom client applications may be using an older TLS library that doesn’t have 1.2 support. Those applications will need to be updated to use an updated library.

Photo by Data Gogia on Unsplash