Dear Valued Customer,
As you are probably aware, there is a new vulnerability code named POODLE that was published last week. Since then, there has been a lot of chatter all over the place about what do to. Disabling SSL 3.0 on web sites and browsers seems to be the common and easy answer. We highly recommend this article: http://www.troyhunt.com/2014/10/everything-you-need-to-know-about.html. It was the most informative and also the easiest to read. Cubus applications do not have any built-in dependency on the SSL protocol. The servers that host our applications use IIS for end-user and source-server (SSO) connectivity and rely on IIS to handle the encryption. Since TLS (v.2.0) has superseded SSL (v 3.0) in recent years, IIS will use TLS by default, and will switch to SSL only if TLS is unavailable. So, in the Cubus context, all you would have to do is disable SSL on every Cubus application server that uses IIS to prevent this vulnerability from being exploited when a user connects to a Cubus application. However, before you do so, please confirm which of the following describes your situation: a) Situation:
Regards,
Cheryl Bookhammer
Vice President,
Customer Services
As you are probably aware, there is a new vulnerability code named POODLE that was published last week. Since then, there has been a lot of chatter all over the place about what do to. Disabling SSL 3.0 on web sites and browsers seems to be the common and easy answer. We highly recommend this article: http://www.troyhunt.com/2014/10/everything-you-need-to-know-about.html. It was the most informative and also the easiest to read. Cubus applications do not have any built-in dependency on the SSL protocol. The servers that host our applications use IIS for end-user and source-server (SSO) connectivity and rely on IIS to handle the encryption. Since TLS (v.2.0) has superseded SSL (v 3.0) in recent years, IIS will use TLS by default, and will switch to SSL only if TLS is unavailable. So, in the Cubus context, all you would have to do is disable SSL on every Cubus application server that uses IIS to prevent this vulnerability from being exploited when a user connects to a Cubus application. However, before you do so, please confirm which of the following describes your situation: a) Situation:
- Your members connect to Cubus Online Banking via an https connection from a browser; then from Cubus Online Banking, they connect (via Cubus Single Sign On) to third party applications (e.g. alerts, statements, bill pay, credit cards, etc.)
- Recommendation:
- If you are using Cubus Online banking, you may disable SSL on all non-Cubus OLB servers (e.g.: Alerts, Deposits, Points, Loyalty, etc.) right away. However before you disable SSL on the Cubus Online Banking Web or App Server, please confirm with all third party vendors (eg: PFM, Bill Payer, Credit Card, Loan Origination, Account Opening, Check Image interface, e-statements, etc.) that they have disabled SSL on their servers and/or have removed any SSL dependency from their code. We are also contacting all vendors to whose applications we have a certified single sign on interface.
- Your members connect to Third Party Online Banking applications via an https connection from a browser; These Third Party online banking applications (e.g. Digital Insight, Q2, Alkamitech, Jwaala, PM Systems, Ultra-Access) connect (via 3rd Single Sign On) to Cubus applications.
- Recommendation:
- f you are using a Cubus app with a third party online banking vendor, please do not disable SSL on the Cubus web server till you get a confirmation from your online banking vendor that they have disabled SSL on their servers and/or have removed any SSL dependency from their code.
Regards,
Cheryl Bookhammer
Vice President,
Customer Services