Pardot’s Response to SSL POODLE Vulnerability

On Tuesday, October 14th, Google announced the discovery of an SSL vulnerability present in an older variant of the SSL protocol, version 3 (SSLv3).

In order to mitigate against this recently disclosed vulnerability, we are, effective immediately, disabling SSLv3 throughout the entirety of the Pardot service platform.  This step is in line with previous efforts taken to mitigate against BEAST and Heartbleed, two of the most critical SSL vulnerabilities previously identified over the past 18 months.

Pardot is not the only provider taking this step. Google and Mozilla have announced that they will remove SSLv3 support from future versions of their browsers within the next several weeks. Other major online service providers are in the process of or have already disabled support for it.

The most impacted population of users will be those running Internet Explorer 6 (IE6), who will no longer be able to access SSL/TLS sites that have disabled support for SSLv3.  We recommend that any users within your organization using Internet Explorer upgrade to version 8.0 or later.

In addition to disabling SSLv3, next week Pardot will be deploying new SSL certificates that no longer support the known-weak SHA-1 algorithm, and instead support the trusted SHA-256 algorithm. This change will have no impact on current browsers (including Internet Explorer 6.0 and newer).