POODLE Security Update

Yesterday, an embargo on a major vulnerability with SSL named POODLE ended ^[0]. This vulnerability POODLE (Padding Oracle On Downgraded Legacy Encryption) is caused by downgrading of SSL connection from TLS to to SSLv3 and then exploiting SSLv3's weak ciphers to steal "secure" HTTP cookies/tokens/headers. More details about the vulnerability can be found in the release drafted by Google on the OpenSSL website^[1].

This vulnerability did not affect TrueVault. In fact, TrueVault removed support for SSLv3 some time ago. TrueVault has been closely monitoring all API traffic for suspicious and irregular activities, and have not found any activities that may suggest cookies/tokens/headers were hijacked.

Unless you must support SSLv3 (due to legacy requirements, e.g. Windows XP with IE6), TrueVault’s security team recommends our customers to only support TLSv1, TLSv1.1, and TLSv1.2 for SSL. TrueVault highly recommends our customers follow the guidelines and recommendation set by the security community such as Mozilla ^[2] to secure their infrastructure.

As always, should you have any questions about POODLE or our security practices, don’t hesitate to email our security team at security@truevault.com

[0] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] https://wiki.mozilla.org/Security/ServerSideTLS