Skip to main content
Avalara Help Center

SSLv3 POODLE Vulnerability

Overview

On October 14th a vulnerability known as POODLE (CVE-2014-3566) in SSL v3.0 was disclosed which makes it easier for a man-in-the-middle attacker to extract data from a secure HTTP connection.  POODLE, while overall a medium to low-risk vulnerability, is still a significant issue and as a result, Avalara is working to end its support for SSL v3.0 by January 30, 2015. Disabling SSLv3 will fully address this issue.

Environment

Q: What is the potential impact to customers?

A: Any customer still forcing the use of SSLv3 after January 30, 2015 will no longer be able to access Avalara Systems.

Resolution

Q: When will this change take place?

A: Friday, January 30, 2015
 

Q:  What is the preferred encryption protocol for connecting to Avalara Systems?

A:  While TLS 1.0 is supported, Avalara's preferred encryption protocol is TLS 1.2
 

Q: What actions do customers need to take?

A: In order for customers to continue having access to Avalara services, customers must ensure the integration to Avalara must use TLS 1.2. The following are recommendations to mitigate this issue:

  • Update the systems which interact with Avalara Services to use TLS 1.2 in lieu of SSL v3.0. All modern operating systems and browsers are capable of utilizing TLS 1.2 as an encryption protocol and the configuration change to support this should be transparent. Some older browsers may support TLS encryption but are not enabled by default.
  • In order to minimize the risk associated with the migration to TLS 1.2, it may be possible to set a preferred encryption protocol order, starting with TLS 1.2, then SSL v3.0. This may allow you to further mitigate the risk associated by the transition by allowing you to test TLS 1.2 without causing a service interruption should any issue occur.
  • Reference the technical documentation associated with the operating systems, web servers, application servers, and web browsers interacting with Avalara systems to establish a plan for moving to TLS 1.2.

 

Q: How can I test my integration before the cut over date?

A:  Avalara has setup two test URL's that will allow you to point to a TLS only instance of the AvaTax web service. They are:
 

https://rest-tls-test.avalara.net  for REST clients.
 

Q: What should I do if I am experiencing issues after January 30, 2015?

A: Contact Avalara Support.