Security Notification for SSLv3 POODLE Vulnerability
Time to read: 2 minutes
October 15, 2014
Written by
As you know, a number of news sources, corporations and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level.
We are urging all customers to disable SSLv3 on hosts interacting with the Twilio service as soon as possible and upgrade to use Transport Layer Service (TLS).
Owing to many clients and servers connecting to Twilio that currently do not support TLS, we have not immediately turned off SSLv3, but are providing a mitigation path as defined below.
This path affects customer applications in two ways:
- On the REST API requests they make for outbound calls and messages
- On the webhooks made by Twilio to their applications for inbound calls and messages. Twilio is making the following adjustments to the security of these services to mitigate this vulnerability.
REST API – Outbound Calls and Messages
For customers using an official Twilio helper library and those consuming the REST API through a different HTTP client, we encourage them to mitigate this vulnerability by disabling SSLv3 on their hosts as soon as possible.
For customers negotiating with Twilio over SSLv3, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC. Customers with clients that only support SSLv3 are encouraged to upgrade to TLS as soon as possible.
Webhooks – Inbound Calls and Messages
For customers only supporting SSLv3 for inbound HTTP requests from Twilio, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC. Customers with applications that only support SSLv3 are encouraged to upgrade to TLS as soon as possible, as SSLv3 will be unavailable on that date.
Disabling SSLv3 For Your Platform
To assist customers disable SSLv3 for your hosts, we have found the following resources to be helpful:
Update: Scott Helme published this excellent step-by-step guide on mitigating this vulnerability on multiple platforms, web servers and clients.
Thank you for your prompt attention to this security disclosure. As always, if you have any questions about this notification or the security of your Twilio account, we encourage you to reply to this email or email help@twilio.com for additional assistance.
Related Posts
-
Twilio Video update: Twilio Video’s journey continues, bringing the human touch to your customer engagement experienceKathryn Murphy -
How Twilions Stay Focused, Connected and Drive Impact in a Remote-First EnvironmentTwilio Employer Brand Team -
Building Conversational AI Applications with Twilio and the OpenAI Realtime APIBrandon Hawkins Paul Kamp
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.