SSL v3 Disabled – POODLE Vulnerability

Wednesday, October 15th, 2014 / Posted In :Security /  By : / Leave a comment

Google’s security blog released a report today of a new vulnerability in SSL v3. The full report is here, and names this POODLE, which is a descriptive acronym for “Padding Oracle On Downgraded Legacy Encryption.”

What is the Problem?

SSL v3 is an old system, superseded by TLS 1, TLS 1.1, and TLS 1.2. The vulnerability does, however, potentially affect nearly all visitors. If someone is interfering with your connection they can cause the TLS connection to fail, and your browser will fallback to older versions supported by the server. As long as the server supports SSL v3, the browser will fall all the way back to this system, which the attacker can then exploit.

Once a connection is compromised, the person in the middle can see all supposedly encrypted info as plain text, potentially taking login cookies, credit card data, etc.

What Have We Done?

To prevent against this, we have disabled SSL v3 on our webhosting servers effective immediately. This will remain in effect unless/until a patch arrives that fixes this vulnerability.

How are Clients and Visitors Impacted?

The downside to this is that very old systems, starting with Internet Explorer 6.0 on Windows XP, do not support any version of TLS. These browsers will not be able to make an https connection to our servers. This is an extremely small portion of internet users – you can check this link for a rough idea, showing usage fall from 0.1% of all users to 0.0% in July of this year.

I don’t believe there will be many complaints regarding these connections being disabled. Providers all over the world are disabling SSL v3, and soon anyone using such an old browser is unlikely to be able to browse much of the secure web.

And a Note About Perfect Forward Secrecy

To add another quick update, we have been rolling out perfect forward secrecy to systems for some time, which further improves https connections. As part of disabling SSL v3, we have finished this rollout, meaning all sites should now validate as having perfect forward secrecy enabled.

Going Forward

We will continue to monitor this situation, and may re-enable SSL v3 if an effective patch is developed for the problem. If you see any issues or complaints regarding secure connections to your site after these changes, please get in touch and we will look into it.



Author :

Chris is the founder of Lightning Base. You'll find him all over around here - writing on this blog, providing customer service, and handling whatever else needs to be done. You can reach him easily by filling out our contact form and addressing your message to Chris.

Leave a Reply

Post Comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

© 2020 Lightning Base LLC. All rights reserved. | Privacy Policy | Terms of Use