Dropping support for SSLv3 on 10/17/14
Incident Report for mailgun
Resolved
We've dropped support for SSLv3 for both the Control Panel and our API endpoints. This successfully mitigates the POODLE attack [1].

If you are having trouble logging into the Control Panel or hitting Mailgun API endpoints, please submit a ticket and we can investigate the specific issue affecting you further.

[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
Posted almost 5 years ago. Oct 17, 2014 - 14:12 PDT
Identified
Due to the recently announced POODLE security vulnerability [1], Mailgun will be dropping support for SSLv3 for both the Control Panel as well as our API endpoints (api.mailgun.net and smtp.mailgun.org) this Friday October 17, 2014.

While we understand this is a very aggressive timeline, we are doing this to ensure the security and confidentiality of communication between our customers and Mailgun. POODLE is a serious security vulnerability that can allow an attacker to decrypt encrypted communication and we recommend all customers review and patch their infrastructure accordingly. [2]

We are monitoring our logs and will notify as many customers as we can that are still using SSLv3 as soon as possible. Look for that communication soon.

While we have no evidence that any API key, SMTP credential, or Control Panel password has been compromised, we recommend all Mailgun customers cycle the aforementioned credentials after we have dropped SSLv3 support on Friday.

We will keep you posted.

[1] https://www.openssl.org/~bodo/ssl-poodle.pdf
[2] http://security.stackexchange.com/questions/70719/ssl3-poodle-vulnerability
Posted almost 5 years ago. Oct 15, 2014 - 16:35 PDT