Removing Support for SSL v3
This advisory pertains to those ZipDX customers that are using our API to integrate ZipDX services with their own software systems. We plan to remove support for SSL V3 on November 15, 2014. Please make sure you are communicating with our servers using at least TLSv1 prior to that date.
SSLv3, a greater than fifteen year old technology, has insurmountable security issues (CVE-2014-3566). The POODLE attack, as it is being called, is a vulnerability affecting SSLv3 but also any and all web clients that will accept downgrade instructions to use it.
We have already implemented the new TLS_FALLBACK_SCSV indicator on our servers, but only Google’s Chrome has so far implemented it on the client side. All clients ought to disable SSLv3 on their side, but in order to secure our users’ communications, we will be disabling SSLv3 permanently on November 15th, 2014.
API clients are strongly encouraged to ensure they are using the strongest SSL ciphers with TLSv1.2 (but at least TLSv1). After this change is made, if your API client can only communicate via SSLv3, it will fail to properly handshake with us.
For more information about the POODLE attack, see:
https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack
Posted in: Technical Advisory
Leave a Comment (0) ↓