An update on how Emma is responding to SSLv3 vulnerability.

  • 1
  • Announcement
  • Updated 5 years ago
  • (Edited)
Archived and Closed

This conversation is no longer open for comments or replies and is no longer visible to community members. The community moderator provided the following reason for archiving: Outdated: SSLv3 disabled today

You may have already come across blogs, tweets, or posts about a newly reported SSL Version 3.0 vulnerability which is affectionately being referred to as Poodle. Whether you have or haven't, here are some details and information on how Emma is responding.

What happened?

On Tuesday Google posted details about an exploit for SSL Version 3.0. SSL is the protocol that allows secure transactions across the Internet. The exploit provides the means to create a man-in-the-middle attack capable of capturing sensitive information including cookies, passwords, and other data during transit. In response, internet services opted to turn off SSLv3 support.

How does Poodle affect Emma?

Our application makes network requests to outside services we have integrated into the Emma application, services like SurveyMonkey, Twitter, and Facebook. Some of those requests default to SSLv3. Once those outside services ceased support of SSLv3, our requests to those systems failed. This rendered the Emma editor unusable for a small number of customers on Wednesday, October 15th. Our team here worked yesterday to make the necessary changes in our application. They tested and release a fix at 1pm on October 15th. We feel confident we have resolved issues with connecting to these outside services.

How will Emma respond to Poodle?

Emma will follow suit and disable SSLv3 support in the very near future. This change does create a couple of possible impacts for our customers and integrated partners.

1) Users and customers using an older browser will not be able to interact with our application. This is very limited! We already require modern versions of major browsers to interact with our application. Any user affected by this will most likely be receiving "Update your Browser" notifications from a significant number of other services.

2) Any integrations that utilize our public API will need to ensure their connections are making requests using TLS instead of SSLv3. Currently, less than 1% of all traffic across our platform connects with SSLv3.

What is our plan?

1)  Tonight at 8pm, we will turn off SSLv3 for 15 minutes as a test. This will allow us to identify any unforeseen problems in preparation to disable it permanently.

2)  Assuming everything checks out, we will disable SSLv3 forever early next week.

What should you do?

For the large majority of Emma clients, you don't need to do anything. We are making the necessary changes on our end to keep up with the surrounding tech community. For a very small number of users, you will want to circle up with your web developer and confirm that any custom integrations you have with Emma are updated to use TLS instead of SSLv3.

Please feel free to post any questions here and we will be glad to assist.
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes

Posted 5 years ago

  • 1
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
A quick update here. Tonight's testing is complete and from our experience there was no significant user interruption.

Once we have the details, we will provide additional information concerning our time frame for completely disabling SSLv3.
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
We have continued researching the impacts of disabling SSLv3 for the Emma application. Tonight (October 28th, 2014) at 8pm Central we will be disabling SSLv3 for the majority of our application. This will increase our application security and protect our system from a possible exploitation of SSLv3.

We do not expect any application interruption as we make this change tonight. I will provide an update here once tonight's update is complete.

For clients who have written their own API calls:

We are continuing to allow API calls to Emma to be made using SSLv3. We will be working directly with customers who are making those calls to encourage and assist them in updating their system as needed. This approach will make sure all customers have a stable and seamless transition to the more secure TLS protocol.
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
We have completed our maintenance for tonight with no interruption in service for our users.
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Due to some unintended system limitations related to our disabling of SSLv3 protocols across our application, we have once again enabled that encryption type.

Our team here is working towards once and for all disabling SSLv3 across our entire platform in the very near future. I will post those details here as soon as the plan is clearly defined.
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Scheduled system update:

Emma will disable SSLv3 as an encryption option for our API on Monday, December 15 in order to protect all of our customers from the potential exploitation of this vulnerability. To avoid any service interruption, please ensure that you are connecting to the Emma API using TLS 1.0 or higher. We have done our best to identify customers who may be using SSLv3 as an encryption option and will be proactively notifying those clients.

If you do have any questions, feel free to post here.
Photo of Resolutions Northwest

Resolutions Northwest

  • 3 Posts
  • 0 Reply Likes
We have emma API on our website so people can sign-up for the newsletter. Is this what you are talking about? Do I need to deactivate the widget?
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Hi Resolutions, Great question.

You do not at all need to deactivate the widget. You may need to modify the encryption option that you use when making that API call. You will want your web developer to make sure you are connecting to the Emma API using TLS 1.0 or higher.
Photo of Jenna

Jenna

  • 2 Posts
  • 0 Reply Likes
I had SalesForce and Emma integrated using Emma's API -- and then noticed saved email addresses in my account were significantly less than what they should've been (lists of 200 were down to 5) -- could this have caused that? Do I need to do anything with the SalesForce integration?
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Hi Jenna,
This experience wouldn't at all be related to the SSLv3 changes that we are planning to makes. For that reason, I have created a new thread so we can dig in to your use case.

Please reference the new conversation here: Significant decrease in contact count in Emma
Photo of Bacon Lee & Associates

Bacon Lee & Associates

  • 1 Post
  • 0 Reply Likes
How does this impact users of the Emma Emarketing plug-in for Wordpress?
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Hi, I am sorry for the delay in reply here. I talked with our engineering team on this and the direct answer is that we aren't certain how this will impact your Wordpress form.

We do know that Wordpress uses the transport option (probably PHP cURL, which is PHPs way of using curl/libcurl) that is available on their server. It's set to let that transport option negotiate the highest level of authentication that it can. If your use of the Wordpress plugin stops working, you will want to contact your web host to make sure they are using an updated version of curl and openssl. 

In short, you will want to check with your web host or web developer to confirm the authentication being used by your transport option.
Photo of Mike Ginter

Mike Ginter

  • 3 Posts
  • 1 Reply Like

We have a series of 3 main PHP files that generate a subscription page at our site.  These PHP functions (originally created by Mark Roland.com in 2012) are connecting to your servers.

The programmer that took this code and customized it is no longer with us.  I have been tasked with keeping up with this page, however I am not a programmer. 

I don't think we have a problem, but I don't know what to really look for.

On our severs, we are not using https:// protocol at all, and I didn’t see anything in the functions about encryption methods - rather only functions like "make_request", "create_field" and "get_field_list". 

Can anyone clue me in to any key words or string patters I should be looking for just to be sure?

 Any help would be appreciated.

Mike Ginter
(Edited)
Photo of Kyle Floyd

Kyle Floyd, Official Rep

  • 178 Posts
  • 26 Reply Likes
Hi Mike, I had our systems team read through your post above. There are a couple of things you can do. The first, and really best option is to contact your web host to make sure they are using an update version of curl and openssl.

I also wanted to let you know we have been watching our API logs over the past two weeks. We haven't received any SSLv3 calls for the KET account during that time. This would mean that if you have been passing data to Emma over the past two weeks, the calls you have made have been just fine and you may very well not need to do anything.

I do hope that helps and let me know if you have any additional questions.
(Edited)
Photo of Mike Ginter

Mike Ginter

  • 3 Posts
  • 1 Reply Like
Thank you, I feel much better now.  I was already pretty sure that there was no problem.
I would have commented on this sooner, but this response went to my junk mail in Outlook 2013...my favorite place to loose track of stuff.