Security Announcement: Scalr Discontinues Support for SSLv3

October 15, 2014 Thomas Orozco

On October 14th, a team of security researchers from Google announced a new attack on SSLv3: POODLE (CVE­ 2014-­3566), which compromises the secrecy of communications secured using SSLv3, one of the technologies that enable clients and servers to establish an encrypted connection over the internet (e.g. an HTTPS session).

What you need to know

Due to numerous faults in the specification, SSLv3 has been deprecated for a while, but it remained in use across the internet for compatibility with very old clients. Note that this does not mean clients are actively using SSLv3 to talk to e.g. Scalr (TLS, SSL’s successor is used in overwhelming majority of connections). All it means is that SSLv3 is available if they choose to (which they seldom do).

However, in order to ensure the security of our customers, POODLE marks the end of the road for SSLv3 at Scalr, as we are disabling support for it across our servers. This means that clients will now be required to use TLS to talk to Scalr.

What you need to do

As a user, it is unlikely that you’ll be affected. Your clients will continue using TLS to talk to Scalr like they did before we removed support for SSLv3 (like it should). If you do get in trouble, you’ll need to update your clients to something more recent  (for example, TLS has been available in OpenSSL for upwards of 15 years).

Note that if you are using Scalr to deploy HTTPS web servers, you will likely want to make the same change to preserve the security of your users.

Previous Article
[AWS vs Azure] Security Groups
[AWS vs Azure] Security Groups

AWS vs Azure: AWS Security Groups and Microsoft Azure Network Security Groups   One of the major challeng...

No More Articles