POODLE attack: Withdrawing SSL 3.0 support for all Zoho services from Dec 8, 2014
You might have come across this news over the past couple of weeks - the Version 3 of Secure Sockets Layer (SSL 3.0) has vulnerabilities at the protocol level. The vulnerability allows a man-in-the-middle attack, i.e., an attacker can extract data from secure HTTP connections. Although difficult to exploit, to further protect our customers,
all Zoho services will stop extending support to SSL 3.0 from December 8, 2014 .
After Zoho disables SSL 3.0 encryption, any communication with a Zoho service will need to use TLS 1.0 encryption or higher.
As a Zoho customer, below are the three possible ways you initiate encrypted communication with Zoho's services.
- Internet browsers
- APIs
- Client plugins
In each case, we strongly recommend that you take the following measures.
1. Internet browsers
For web access via browsers supported by Zoho, there should be no impact as they all support TLS 1.0 by default. Older version of Internet Explorer (specifically IE6) has SSL 3.0 enabled by default. Please upgrade to a later version of IE.
2. API integrations
If your APIs use SSL 3.0 protocol to access Zoho apps, they need to be updated to connect via TLS 1.0 or a higher encryption protocol. Refer the table below to set the TLS protocol for the language you are using.
3. Client plugins
Outlook/Mac/Office plugins: We have released upgraded versions of our plugins that replace SSL 3.0 with its TLS successors. Please upgrade to the latest versions of these plugins, to avoid further hassles.
Take these measures right away so that you are not affected by this attack. Please get in touch with the respective Zoho product team in case you have any queries.
ps : To know more about what's called the POODLE attack, check out the links below: