The following are a series of service advisories relating to the ongoing evolution of ZipDX. Such details are most typically of interest to partners that are accessing the service by way of our web API.

October 21, 2014: Removing Support for SSL v3

SSLv3, a greater than fifteen year old technology, has insurmountable security issues  (CVE-2014-3566).  The POODLE attack, as it is being called, is a vulnerability affecting SSLv3 but also any and all web clients that will accept downgrade instructions to use it.

We have already implemented the new TLS_FALLBACK_SCSV indicator on our servers, but only Google’s Chrome has so far implemented it on the client side.  All clients ought to disable SSLv3 on their side, but in order to secure our users’ communications, we will be disabling SSLv3 permanently before the end of October.

API clients are strongly encouraged to ensure they are using the strongest SSL ciphers with TLSv1.2 (but at least TLSv1).  After this change is made, if your API client can only communicate via SSLv3, it will fail to properly handshake with us.

For more information about the POODLE attack, see: https://community.qualys.com/blogs/securitylabs/2014/10/15/ssl-3-is-dead-killed-by-the-poodle-attack

October 18, 2014: Change in SSL Certificate

On Saturday October 18th, ZipDX upgraded our SHA1 signed SSL certificate to use the new industry standard SHA256.  This should create no issues for modern browsers and, in fact, secure against forgery attacks.  API client users may encounter issues if using older, out-of-date SSL libraries in their code. Manually accepting the new certificate into a certificate store may be all that is required, but assistance from us with your specific code base and language will be limited.

For more information see about this issue, see: https://community.qualys.com/blogs/securitylabs/2014/09/09/sha1-deprecation-what-you-need-to-know