POODLE SSLv3 Vulnerability

Yesterday, Google released information about POODLE, a serious vulnerability in SSL version 3.0. This vulnerability can't be used to gain unauthorized access to the Mandrill infrastructure, but in theory a malicious network operator could use it to eavesdrop on encrypted communications. We're updating Mandrill's infrastructure to protect against this vulnerability by completely disabling support for the SSLv3 protocol.

2014 brought the announcement of several high-profile vulnerabilities in specific widely-used encryption libraries. But POODLE is different—it's a flaw in the protocol itself. SSLv3 was released in 1996, and should be considered obsolete and unsafe. TLSv1, the successor to SSLv3, was released in 1999—15 years ago. Newer versions of TLS are preferable, but TLSv1 provides an acceptable, safe baseline.

Unfortunately, disabling SSLv3 may cause compatibility problems for a very small amount of traffic on the Internet—well under 1%. We don't take this lightly: breaking compatibility is always a serious concern. In this case though, leaving SSLv3 enabled would risk exposing our users to eavesdropping by malicious actors, and we're simply unwilling to take that risk.

As of Wednesday, October 15 at 20:00 UTC, SSLv3 was disabled for all API and SMTP traffic received by Mandrill. SSLv3 for webhooks was disabled on Thursday, October 16 at 17:00 UTC. We're evaluating the impact of disabling SSLv3 for all outbound mail that uses opportunistic encryption, and will post an update once that is complete.