MyTimetable 3.6 release notes

MyTimetable 3.6 contains various security and privacy enhancements. After customer enquiries about the iCalendar feeds being transmitted over an insecure channel, we have made various changes to ensure these are transmitted over secure channels. Customers need to be aware that some of these changes require more steps from the user when adding iCalendar feeds, and any custom user manuals need to be updated. This version also removes support for Internet Explorer versions before 11.

All work involved in upgrading to the latest MyTimetable version (configuration, building, testing) is free of charge for our customers with a Software Assurance or All-In support agreement.

Functional changes

• Insecure iCalendar feed requests redirected to HTTPS — When requesting an iCalendar feed over an insecure channel, a permanent HTTP redirect is used to redirect users to a secure URL. Apple Calendar and iPhone clients will continue to use this secure URL in the future. If customers want to force users of other applications to update their URLs, this redirect can be disabled. As that requires action from all users (in some instances more than 50% of the users), we decided to leave this redirect in place by default.
• Replaced automatic (webcal://-based) iCalendar feed dialogs with manual instructions — The 'automatic' iCalendar additions used a webcal://-'protocol handler'. This uses the insecure HTTP protocol underneath, and for that reason we have removed these dialogs. The dialogs have been replaced with manual instructions on adding the iCalendar feeds to the various applications.
  
• Added iCal-export options for Outlook.com and Office 365 — Outlook.com and Office 365 do support automatic addition of secure iCalendar feeds, and we have added dialogs for these applications.
• Updated help page — The help page has been updated to reflect the new iCalendar connection methods. The Excel export was also added to this page.
• Removed alarm support in iCalendar feeds — Most, if not all, clients ignore any alarms in iCalendar feeds. To avoid any confusion and to make the iCalendar dialogs clearer, we have removed the alarm support from the feeds.
• Event type added to title of iCalendar events (optional) — MyTimetable can now add the event type to the title of iCalendar events. This is an optional, global setting.

Non-functional, technical and back-end changes

The following changes have been made to the MyTimetable backend and underlying software, and have no direct impact on MyTimetable functionality:

• HSTS header added — All secure requests will now include a HTTP Strict Transport Security header requesting the browser to only use secure connections and never use insecure connections. This prevents 'SSL-stripping' and other man-in-the-middle attacks. The header includes a lifetime of 1 year by default. If, for any reason, a customer wishes to use their MyTimetable domain with insecure connections in the future, this header should be disabled.
• Improved Office 365 / Exchange / Google Calendar removed user handling — Synchronisations of users that were removed are now correctly disabled.
• Google Calendar API update — Synchronisations are now using the new Google Calendar batch API. The old API will function until the beginning of 2019.
• Database performance updates — The Syllabus Plus data provider now uses fixed batch sizes, to improve query plan caching.
• Dependency upgrades:
  • GWT (2.8.2)

Removed and deprecated features

The following features from earlier MyTimetable versions have been deprecated, removed, or partially removed and are not supported anymore:

• Internet Explorer 8, 9 and 10 support removed — Microsoft has ceased support for these browsers in January 2016. Also, according to our web analytics, these browsers are not in use anymore. Visitors using these browser versions will be redirected to a page asking them to upgrade their browser.