Welcome to Bottomline Customer Support
Search frequently asked questions
Ask your question by entering it here, or choose from the list of frequently asked questions below.
What should we do in relation to the recent ‘POODLE Security Vulnerability’ announcement?
As part of Bottomline Technology’s ongoing commitment to security we have identified during regular security scans that a number of our clients may be vulnerable to a new security exploit related to SSL (Secure Sockets Layer). This vulnerability is commonly known as POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption. What this means is that an attacker could force an SSL connection to use an older less secure version – SSL v3 – and compromise the encryption.
How Does This Affect Me?
Two areas are potentially affected – your web browser and your web server.
If you run a modern, up-to-date browser such as Firefox or Chrome then your browser will be able to support newer, more secure versions of encryption using a protocol called TLS (Transport Layer Security).
Internet Explorer v6 – v7 doesn’t support newer protocols so you should update or use another web browser if possible. Internet Explorer v8- v10 all support SSLv3 by default but do not support newer protocols by default. If you use Internet Explorer you should speak with your IT team and ask them if you can have SSLv3 disabled and newer version of TLS enable. Whether this can be done may depend on what you need to connect to such as internal applications and intranets.
Newer versions of Firefox and Chrome will disable SSLv3 by default so provided you keep them up-to-date you will not need to do anything.
You will likely have applications and websites running on web servers that you use to connect to other applications or websites via an API (Application Programming Interface). Web servers may also need to be updated or have their configuration changed to either disable SSLv3, enabled TLS or both. You will need to speak with your hosting provider or IT team for advice on this.
What Should WE Do?
1. Speak with your IT team about your web browser(s) or any websites / applications that you have accessible via the internet.
a. You may need to speak with any 3rd parties that host these for you on their web servers.
b. Ask them to check your controls and protection against the 'Poodle Vulnerability'.
2. Ask your IT team / 3rd party providers to use tools such as this one to scan your websites or applications.
a. They will be able to interpret the results and make a recommendation as to what do regarding the next steps.
3. It is important to work out what action you need to take if any. YOU may be vulnerable.
a. 3rd parties providers may change their systems to disable SSLv3 with little or no notice meaning your applications and websites may not function correctly afterwards.
What Is Bottomline Doing?
Bottomline proactively takes steps to mitigate any threats to its infrastructure and applications as we become aware of them. To this end we’ll ensuring that any system that currently runs SSLv3 will have it disabled by the end of the day on the 31st October 2014.
TLS v1.0, 1.1 and 1.2 will be enabled for connectivity.
This is to ensure both the highest level of security and interoperability for all our clients and the applications that we run and host on their behalf.