API: SSLv3 Support Disabled

Note: This announcement is only about the rarely-used version 3 of the SSL protocol. We continue to support (and in most cases require) SSL using more modern and secure TLS protocols. For most users and developers, this will not require any changes on your part.

Effective October 15, 2014, Pushover’s API, main website, Desktop client, and receipt callback service have disabled support for version 3 of the SSL protocol (only this version) due to the recently announced “POODLE” attack which can theoretically allow an attacker to retrieve the plaintext of a secure connection between you and an SSL server, such as Pushover. Pushover’s servers continue to support TLSv1, TLSv1.1, and TLSv1.2 for SSL connections.

This urgent change has also been adopted by companies like Google and Twitter, as well as browser vendors like Mozilla. We urge customers to update their systems and browsers to disable SSL v3 support.

While most modern libraries and systems do not prefer SSL v3 for SSL connections and should not require any changes, there may be some very old systems that do not support newer TLS protocols and are no longer able to connect to our API. Since this change to remove SSL v3 support is not limited to Pushover’s servers and is being widely adopted in the industry, customers with legacy systems should contact their software vendors to ask about updates to SSL libraries as this security vulnerability will probably affect a large number of systems and services.