We’re Disabling Weak SSL on January 11, 2010
4th 11th, 2010, the first second Monday of the new year, we will be disabling weak SSL protocols. This change affects both API and browser users.
The protocols we are disabling are:
- Ciphers with keylengths less than 128 bits in SSLv3 or TLSv1
We are disabling these protocols to enhance the security of our users’ financial data as it is passed over the Internet. SSLv2 has several published vulnerabilities and should not be considered secure, and keys shorter than 128 bits are no longer considered sufficiently resistant to compromise. The Wikipedia article on TLS and SSL contains some background information on the vulnerablities in these protocols.
Analyzing the last month’s worth of traffic suggests that this will affect a very small number of users. We have contacted all affected integrations with whom we have existing
relationships. We will continue to monitor our logs to look for any other SSLv2 or short keylength users whom we have missed.
Modern browsers (Firefox 2+; IE 7+; Safari) disable these weak protocols by default.