SSL v3 OpenSSL is vulnerable at the protocol level

Got this from Twilio could effect this effect
A. Electric imp Agents
B. Agents calling Twilio API

As you know, a number of news sources, corporations, and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level.


We use TSL 1.0 for device-agent communications, and TSL 1.0 is not affected by Poodle. I believe we’re moving to TSL 1.2 at some point in the near future, but I’m sure @Hugo can clarify the situation much better than I can.

As for agents calling out to Twilio, it actually turns out that when we upgraded the copy of libcurl that we use in the agent-server, a little while ago, it actually disabled SSL3.0 altogether. We didn’t notice, because it wasn’t in the upstream release notes – but nobody’s ever complained, so it looks like none of our users were relying on SSL3.0 support in the first place. Also, agents don’t do the “downgrade dance”: they always suggest a protocol version of TLS1.2. So outbound HTTPS from agents is not vulnerable to Poodle attacks.


Thanks for the heads up.