Response to POODLE SSLv3 Vulnerability and Discontinuation of IE6 Support

As a result of the POODLE SSLv3 vulnerability, Pusher has removed support for IE6.

Introduction

At Pusher we take pride in shielding our users from the complexity of operating realtime infrastructure at scale. This has led us to invest considerable time and engineering effort in support for a very long tail of client browser technologies. Until recently, we officially supported the full realtime experience for IE6. However in light of the recent vulnerabilities reported in SSLv3, we are unable to accommodate this ageing platform any longer.

This wasn’t a rash decision and it involved a lot of consideration about what this would mean for our customers. We took a long hard look into data from our internal metrics and they told us everything we needed to know; IE6 had to go. For clarity, we found that the percentage of connections originating from IE6 in a recent 24-hour period was 0.000728%, or about 1 IE6 connection in every 137,000 connections. That’s a tiny number even at the scale we work at!

Our realtime endpoints will soon reject SSLv3 connections and require a minimum of TLS1.0, something which IE6 does not support. We’ll be implementing these changes over the coming days.

Have a question about POODLE, Pusher or our decision around IE6? Get in touch with our support team so we can help.