• Hi I got this email from AWS and we’re using this plugin do we have to worry about it?

    As of 12:00 AM PDT May 20, 2015, AWS will discontinue support of SSLv3 for securing connections to S3 buckets. Security research published late last year demonstrated that SSLv3 contained weaknesses in its ability to protect and secure communications. These weaknesses have been addressed in Transport Layer Security (TLS), which is the replacement for SSL. Consistent with our top priority to protect AWS customers, AWS will only support versions of the more modern TLS rather than SSLv3.

    https://www.ads-software.com/plugins/amazon-s3-and-cloudfront/

Viewing 6 replies - 1 through 6 (of 6 total)
  • I’m curious too. All of our site’s images are hosted on S3 to take the delivery weight off our server. I’m guessing most people that use this plugin are doing the same for their WordPress sites.

    It seems like only the client (person browsing from an old unpatched for POODLE browser) would be affected and possibly not see images.

    Any comment from Brad Touesnard on this issue? I have a number of buckets on AWS which are uploaded to using the AWS S3 and Cloudfront plugin.

    Would be good to get a word from the author on this issue as the revised deadline is looming.

    Plugin Contributor A5hleyRich

    (@a5hleyrich)

    We are investigating the issue and we’ll have more information available soon.

    Hi,

    I spoke directly to AWS technical support and I want to share what I’ve learned.

    In a nutshell, if your customers are accessing your S3 data via a modern web browser, everything is ok and no changes required on your end ??

    == Response from AWS: ==

    AWS will be removing the ability for S3 clients to negotiate SSLv3 connections to the global S3 endpoints (not the buckets).
    Going forward, for secure connections S3 clients will be required to support TLS 1.0 and above, TLS has been the standard for many years now.

    There are no changes required to be made by you with respect to the bucket, bucket properties or URLs accessing the buckets.

    This change will not impact most current, up-to-date web browsers and applications as all modern web browsers, SDK’s and API’s now support TLS 1.x.

    If you received an email from us listing effected buckets, then those buckets were accessed by at least 1 client at least 1 time using SSLv3 as the communication protocol with in the last month.

    Thanks TrueThemes!

    Glad to know it won’t be the apocalypse!

    Plugin Contributor Iain Poulson

    (@polevaultweb)

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘SSLv3 to TLS changes’ is closed to new replies.