As a follow-up to our previous security notification in November, VWR will be moving to Transport Layer Security (TLS) as of March 28, 2015. As of this date, Secure Sockets Layer (SSL) will no longer be supported. Please update your browsers and backend systems so they can support TLS 1.0, 1.1, and 1.2. This decision was made in order to ensure a more secure ecommerce environment, given the publically disclosed vulnerability in SSL v3 (nicknamed Poodle).
Failure to make these changes prior to March 28, 2015 may result in a disruption of service for your punchout catalog or your backend EDI/XML transactions. Please note that, as part of this change, support for the Internet Explorer version 6.X browser will no longer be provided.
Steps you can take:
For browsers on end user systems, please update to the current version of your browser.
For backend systems that connect to VWR via an automated process, please ask your IS team to review the client-side configuration settings for TLS connections. The link below will provide a list of methods to disable SSL
If you have technical questions, please contact us soon as possible.
VWR B2B Support & Security Team
Dear Valued Customer,
Due to a publically disclosed vulnerability in SSL v3 (nicknamed Poodle), VWR will be discontinuing support for the SSL v3 protocol on a date (to be determined) within the near future. SSLv3 is largely obsolete, but it is important for any organizations still using this protocol to be aware of a security flaw that was revealed on October 14th by the Google Security team. A detailed summary of this vulnerability is available via the following links: https://www.openssl.org/~bodo/ssl-poodle.pdf and https://blogs.akamai.com/2014/10/ssl-is-dead-long-live-tls.html.
This vulnerability does not impact TLS, which is the recommended protocol that is already supported by VWR systems. Our VWR b2b punchout site supports TLS (up to version 1.2) and our b2b gateway for backend EDI/XML transactions supports TLS version 1.0 currently.
Please consult with your IS or Security teams to confirm that your servers are setup to only use the TLS protocol and that SSLv3 is disabled immediately. The best approach is for your technical team to enable this change at the server level as this will fully mitigate the existing security risk and help to ensure a smooth transition for all users. To disable SSLv3 at a client-side browser level, please see more information via this published link: http://tweaks.com/windows/67027/how-to-protect-ie-chrome-and-firefox-from-the-poodle-ssl-v3-exploit/
If your technical team does not implement a plan to migrate to a TLS protocol, then your punchout & other integrated ordering connections will not work once SSLv3 support is disabled on a planned date within the near future. This issue is subject to impact all of your b2b supplier connections, if not addressed accordingly in a timely fashion.
We will publish another communication in the near future to provide the exact date that VWR will fully disable support for SSLv3. If you have technical questions, please contact us soon as possible.