Effective immediately, we are dropping support for SSLv3

A new security attack (dubbed the POODLE attack) that came about today, makes continued use of SSLv3 connections very risky.

We deeply regret the inconvenience this will cause some of our merchants, but we did not take this action lightly. Given the nature of our business and the sensitivity of the data transmitted, we must act quickly when we become aware of a serious security issue like this.

Thus, as with Twitter, HipChat, Harvest, Freshbooks, Braintree Payments (part of PayPal), and many other respected websites, we have made the quick & difficult decision to immediately stop accepting SSLv3 connections to https://app.chargify.com

While this change is good for security, it may cause problems for some of our merchants and a few of their customers:

  • Extremely old browsers (specifically IE 6 users on Windows XP) will no longer be able to connect to Chargify-hosted pages (such as the customer signup pages we provide for merchants). We performed a traffic analysis that shows this would have affected only 5 signups across ALL of Chargify merchants in the last 30 days.
  • If you use an old or insecure API client in your application that connects to Chargify, you may find that your app can no longer connect to our API. We know this can be very problematic because it’s often very difficult to upgrade software on your systems to maintain compatibility. For that, we’re very, very sorry. Again, we’ve taken this step only as a last resort since the “Poodle” vulnerability was reported today.

Please contact us at support@chargify.com if you have any questions.

Reference links about “Poodle”

If you’d like to read more about the new “Poodle” vulnerability, here are a handful of links:

https://isc.sans.edu/diary/OpenSSL%3A+SSLv3+POODLE+Vulnerability+Official+Release/18827
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
https://www.dfranke.us/posts/2014-10-14-how-poodle-happened.html
https://blog.cloudflare.com/sslv3-support-disabled-by-default-due-to-vulnerability/