As you’ve likely seen, a design flaw in SSL 3.0 was announced to the internet yesterday, nicknamed POODLE. Unfortunately, it’s not just an implementation flaw—the only way to disable the attack is to turn off the affected ciphers altogether. Fortunately, the only common browser which still relies on SSL 3.0 is Internet Explorer 6 on Windows XP, which is a small fraction of internet traffic.
We’ve deployed changes to ensure Stripe traffic remains secure.
We’ve taken an approach similar to Google’s: We’ve disabled the now easily-exploited CBC-mode SSL 3.0 ciphers. We’ve also deployed OpenSSL with support for TLS_FALLBACK_SCSV, which prevents newer browsers from being tricked into using SSL 3.0 at all. This means that IE6 customers will (for now) continue to be able to purchase from Stripe users, and there will be no immediate user-facing impact.
Ending support for SSL 3.0
While there do exist some mitigations, there is no configuration under which SSL 3.0 is totally secure. As well, with so many websites responding to POODLE by dropping SSL 3.0 support entirely, we expect that IE6 on XP will soon stop working on most of the web.
Our plan going forward:
- Starting today, new Stripe users will not be able to send API requests or receive webhooks using SSL 3.0.
- On November 15, 2014, we will drop SSL 3.0 support entirely (including for Stripe.js and Checkout).
In the meantime, we’ll notify any of our users who we expect to be affected by this change. If you have any questions, please don’t hesitate to get in touch.