Security Announcement - POODLE SSLv3 Vulnerability

Autor:

Katie Smart Vice President, Global Marketing and Communications

Last week a security vulnerability known as POODLE was publicly announced that affects a relatively low number of Internet connected devices. However, this vulnerability is critical and could allow an attacker to read encrypted information, even when passed over an SSL connection. While not vulnerable, SightCall is taking this issue seriously by following the steps below. At the bottom of the article, we’ve listed steps you can take to help protect yourself. What we've done:

Validated that SightCall is not vulnerable to the published vulnerability. We do not enable CBC ciphers in SSLv3, which is a key component to executing the current exploit. Our mitigation is similar to the recommendation that Google has made here.
Disabled SSLv3 support in all of our Data Centers: Real Time Platform, CDN, admin platforms. Only our Authentication platform will still authorize SSLv3 connection, as this is most common protocol used by our customers to request token for their users. We want to give our customers the time to switch to a more modern encryption method (e.g TLS v1.2). We are currently updating our examples on GitHub (https://github.com/sightcall/Authentication-Client).

What we will continue to do:

Like many other companies, to avoid future SSLv3 weaknesses, we will be disabling SSLv3 across the SightCall platform.

What you should do:

Upgrade your authentication client to establish TLSv1+ connection.
Upgrade your browser to the latest version supported by SightCall.
Disable SSLv3 support within your browser. You can check if your browser is vulnerable by going here and looking for SSLv3 “Yes”. To disable SSLv3 support, making the following changes and restart your browser:
- Mozilla Firefox
  - Open about:config, find security.tls.version.min and set the value to 1.
- Google Chrome
  - Newer versions of Chrome support TLS_FALLBACK_SCSV, which mitigates this issue.
  - You can explicitly disable support for SSLv3 by issuing the command line command --ssl-version-min=tls1. Further instructions about using command line flags can be found here.
- Internet Explorer
  - Go into “Internet Options”, “Advanced”, and uncheck SSLv3.

As always, if you have any questions about this notification or the security of your SightCall account, we encourage you to contact us at support@sightcall.com for additional assistance.

Siguiente