We are urging all customers to disable SSLv3 on hosts interacting with the Twilio service as soon as possible and upgrade to use Transport Layer Service (TLS).
Owing to many clients and servers connecting to Twilio that currently do not support TLS, we have not immediately turned off SSLv3, but are providing a mitigation path as defined below.
This path affects customer applications in two ways:
- On the REST API requests they make for outbound calls and messages
- On the webhooks made by Twilio to their applications for inbound calls and messages. Twilio is making the following adjustments to the security of these services to mitigate this vulnerability.
REST API – Outbound Calls and Messages
For customers using an official Twilio helper library and those consuming the REST API through a different HTTP client, we encourage them to mitigate this vulnerability by disabling SSLv3 on their hosts as soon as possible.
For customers negotiating with Twilio over SSLv3, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC. Customers with clients that only support SSLv3 are encouraged to upgrade to TLS as soon as possible.
Webhooks – Inbound Calls and Messages
For customers only supporting SSLv3 for inbound HTTP requests from Twilio, we plan on discontinuing this service on 22 October 2014 at 9am PDT / 1600 UTC. Customers with applications that only support SSLv3 are encouraged to upgrade to TLS as soon as possible, as SSLv3 will be unavailable on that date.
Disabling SSLv3 For Your Platform
To assist customers disable SSLv3 for your hosts, we have found the following resources to be helpful:
Update: Scott Helme published this excellent step-by-step guide on mitigating this vulnerability on multiple platforms, web servers and clients.
Thank you for your prompt attention to this security disclosure. As always, if you have any questions about this notification or the security of your Twilio account, we encourage you to reply to this email or email email@example.com for additional assistance.