Security Notification for SSLv3 POODLE Vulnerability

Time to read: 2 minutes

October 15, 2014
Written by
Twilio
Twilion

Twilio Bug Logo

As you know, a number of news sources, corporations and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level.

We are urging all customers to disable SSLv3 on hosts interacting with the Twilio service as soon as possible and upgrade to use Transport Layer Service (TLS).

Owing to many clients and servers connecting to Twilio that currently do not support TLS, we have not immediately turned off SSLv3, but are providing a mitigation path as defined below.

This path affects customer applications in two ways:

  1. On the REST API requests they make for outbound calls and messages
  2. On the webhooks made by Twilio to their applications for inbound calls and messages.  Twilio is making the following adjustments to the security of these services to mitigate this vulnerability.

REST API – Outbound Calls and Messages

For customers using an official Twilio helper library and those consuming the REST API through a different HTTP client, we encourage them to mitigate this vulnerability by disabling SSLv3 on their hosts as soon as possible.

For customers negotiating with Twilio over SSLv3, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC.  Customers with clients that only support SSLv3 are encouraged to upgrade to TLS as soon as possible.

Webhooks – Inbound Calls and Messages

For customers only supporting SSLv3 for inbound HTTP requests from Twilio, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC.  Customers with applications that only support SSLv3 are encouraged to upgrade to TLS as soon as possible, as SSLv3 will be unavailable on that date.

Disabling SSLv3 For Your Platform

To assist customers disable SSLv3 for your hosts, we have found the following resources to be helpful:

Update: Scott Helme published this excellent step-by-step guide on mitigating this vulnerability on multiple platforms, web servers and clients.

Thank you for your prompt attention to this security disclosure.  As always, if you have any questions about this notification or the security of your Twilio account, we encourage you to reply to this email or email help@twilio.com for additional assistance.

Related Posts

Related Resources

A newspaper article

Twilio Docs

From APIs to SDKs to sample apps

API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
An Open book

Resource Center

The latest ebooks, industry reports, and webinars

Learn from customer engagement experts to improve your own communication.
User group reactions

Ahoy

Twilio's developer community hub

Best practices, code samples, and inspiration to build communications and digital engagement experiences.