If you are a Bronto customer or partner using the Bronto API in any way, including self-built or pre-packaged integrations, please read this blog post and forward it to your API developer or integration provider for their awareness.
Please note that this blog post does not concern a vulnerability or bug in Bronto’s software. Bronto, being a software-as-a-service platform, relies on a host of internet protocols, and when a vulnerability is exposed in one of those protocols, it could impact the users of the Bronto Marketing Platform. This is simply our precautionary response to one such vulnerability to help minimize any risk to your Bronto account. Bronto’s software has not been compromised in any way.
What is POODLE?
POODLE (Padding Oracle On Downgraded Legacy Encryption) is a serious vulnerability in the SSL Version 3.0 protocol that can be exploited to steal certain confidential information, such as cookies. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.
POODLE is a design flaw in SSL/TLS, so there is no patch to fix the bug. Any website that supports SSL v3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. As SSL Version 3.0 is no longer secure, Bronto must disable support for it to ensure Bronto customers use more modern security protocols to avoid compromising users’ private information.
Please see the CERT alert on POODLE for more information.
What is Bronto doing about POODLE?
On March 8, 2015, Bronto will disable support for SSL v3, the outdated protocol that is vulnerable to the POODLE bug. Most Bronto customers will not see any impact when SSL v3 is disabled on their Bronto website, since all currently supported browsers will automatically use newer and more secure versions of TLS. Most Bronto API integrations will also continue to work.
However, it is possible that this change may break API integrations for some customers because the SSL libraries they use either force the use of SSL v3 or don’t automatically upgrade to newer, better protocols.
What Must Bronto Customers Do?
Bronto customers should ensure their integrations use SSL libraries that support the newer versions of TLS and disable any further use of SSL v3 immediately.
If you have any specific questions or concerns, please reach out to your Account Manager.