October 14, 2014
Today a new vulnerability was announced in SSLv3. The vulnerability allows attackers who might be in a position to execute a MITM (Man In The Middle) attack against a client to decrypt SSLv3 traffic. Luckily, SSLv3 hasn't been used by clients (web browsers) for a number of years now, replaced by TLS.
At Recurly we supported SSLv3 for backwards compatibility purposes. As it turns out, supporting SSLv3 as of today puts other clients at risk due to a MITM attack potentially forcing a client (web browser) to fall-back to SSLv3, thereby allowing them to disable encryption and view your website traffic. Today, in order to protect our clients we have removed the ability to use SSLv3 with Recurly and in turn, the ability for our clients to be exposed to this issue when using Recurly.
Continue Reading >