POODLE attack: Withdrawing SSL 3.0 support for all Zoho services from Dec 8, 2014

You might have come across this news over the past couple of weeks - the Version 3 of Secure Sockets Layer (SSL 3.0) has vulnerabilities at the protocol level. The vulnerability allows a man-in-the-middle attack, i.e., an attacker can extract data from secure HTTP connections. Although difficult to exploit, to further protect our customers, all Zoho services will stop extending support to SSL 3.0 from December 8, 2014 .

After Zoho disables SSL 3.0 encryption, any communication with a Zoho service will need to use TLS 1.0 encryption or higher.

As a Zoho customer, below are the three possible ways you initiate encrypted communication with Zoho's services.

Internet browsers
APIs
Client plugins

In each case, we strongly recommend that you take the following measures.

1. Internet browsers
For web access via browsers supported by Zoho, there should be no impact as they all support TLS 1.0 by default. Older version of Internet Explorer (specifically IE6) has SSL 3.0 enabled by default. Please upgrade to a later version of IE.

2. API integrations
If your APIs use SSL 3.0 protocol to access Zoho apps, they need to be updated to connect via TLS 1.0 or a higher encryption protocol. Refer the table below to set the TLS protocol for the language you are using.

Language	References for enabling TLS
Java	Set the TLS protocol in the javax.net.ssl.SSLContext. Refer http://docs.oracle.com/javase/7/docs/technotes/guides/security/jsse/JSSERefGuide.html
Ruby	Set the TLS protocol in the OpenSSL::SSL::SSLContext. Refer http://ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/SSL/SSLContext.html
PHP	Set CURLOPT_SSLVERSION to CURL_SSLVERSION_TLSv1 in your Curl options. Refer http://curl.haxx.se/libcurl/c/CURLOPT_SSLVERSION.html
Python	Set the TLS protocol in the ssl.SSLContext. Refer https://docs.python.org/2/library/ssl.html
C#	Use SecurityProtocolType Tls. Refer http://msdn.microsoft.com/en-us/library/system.net.securityprotocoltype%28v=vs.110%29.aspx

3. Client plugins

Outlook/Mac/Office plugins: We have released upgraded versions of our plugins that replace SSL 3.0 with its TLS successors. Please upgrade to the latest versions of these plugins, to avoid further hassles.

Take these measures right away so that you are not affected by this attack. Please get in touch with the respective Zoho product team in case you have any queries.

ps : To know more about what's called the POODLE attack, check out the links below:

https://www.imperialviolet.org/2014/10/14/poodle.html

http://googleonlinesecurity.blogspot.in/2014/10/this-poodle-bites-exploiting-ssl-30.html