SSLv3 to TLS changes

  • Hi I got this email from AWS and we’re using this plugin do we have to worry about it?

    As of 12:00 AM PDT May 20, 2015, AWS will discontinue support of SSLv3 for securing connections to S3 buckets. Security research published late last year demonstrated that SSLv3 contained weaknesses in its ability to protect and secure communications. These weaknesses have been addressed in Transport Layer Security (TLS), which is the replacement for SSL. Consistent with our top priority to protect AWS customers, AWS will only support versions of the more modern TLS rather than SSLv3.

    https://www.ads-software.com/plugins/amazon-web-services/

Viewing 4 replies - 1 through 4 (of 4 total)

  • I’m curious about this too. One of the articles linked up said “less than 0.09% of their visitors still rely on SSLv3” …So I would assume unless you are among that small percentage you are okay. I use S3 to host all the images on my site and take the weight off delivering those myself. So are 0.09% of visitors not going to see those images?

    Also I’m guessing this only affects links with “https” (vs just “http”). Anyone less clueless want to chime in?

    My interpretation is the connection from WordPress Plugin (application) to the Buckets would fail so uploading and delivery to and from S3 buckets would no longer work.

    “You are receiving this email because some of your users are accessing Amazon S3 using a browser configured to use SSLv3, or some of your existing applications that use Amazon S3 are configured to use SSLv3. These requests will fail once AWS disables support for SSLv3 for the Amazon S3 service.

    The following bucket(s) are currently accepting requests from clients (e.g. mobile devices, browsers, and applications) that specify SSLv3 to connect to Amazon S3 HTTPS endpoints.”

    I really hope someone who can help verify whether these plugins will cause failure chimes in soon!!

    I found a blog post from 2014 that says that SSLv3 is a setting on Amazon Elastic Load Balancers: https://www.caseylabs.com/blog/. This is probably what needs to be changed if you are using a load balancer.

    Hi there,

    I’m one of the developers working on the Amazon Web Services plugin and just wanted to clarify that most people don’t need to worry about SSLv3 support being dropped.

    Users accessing bucket assets (images, etc) will only be effected by the issue if you are serving assets over HTTPS. Even then, the majority of browsers support at least version 1.0 of TLS. According to Wikipedia (https://en.wikipedia.org/wiki/Transport_Layer_Security#Websites) only the dreaded IE6 and a handful of other older browsers should be effected. Those older browsers should expect a degraded experience anyway, as the majority of sites have dropped support for them.

    If you are required to support older browsers and are using the Amazon S3 and CloudFront plugin, you can disable SSL URL generation, which will force all assets to be served over regular HTTP. Thus, mitigating the issue altogether.

    Uploads to S3 should not be effected as the Amazon SDK requires OpenSSL to be installed on the server in order to function, which has TLS built in. Unless you have specifically disabled TLS support on the server there should be no issues with uploading.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘SSLv3 to TLS changes’ is closed to new replies.