SSL v3 Disabled – POODLE Vulnerability
Google’s security blog released a report today of a new vulnerability in SSL v3. The full report is here, and names this POODLE, which is a descriptive acronym for “Padding Oracle On Downgraded Legacy Encryption.”
What is the Problem?
SSL v3 is an old system, superseded by TLS 1, TLS 1.1, and TLS 1.2. The vulnerability does, however, potentially affect nearly all visitors. If someone is interfering with your connection they can cause the TLS connection to fail, and your browser will fallback to older versions supported by the server. As long as the server supports SSL v3, the browser will fall all the way back to this system, which the attacker can then exploit.
Once a connection is compromised, the person in the middle can see all supposedly encrypted info as plain text, potentially taking login cookies, credit card data, etc.
What Have We Done?
To prevent against this, we have disabled SSL v3 on our webhosting servers effective immediately. This will remain in effect unless/until a patch arrives that fixes this vulnerability.
How are Clients and Visitors Impacted?
The downside to this is that very old systems, starting with Internet Explorer 6.0 on Windows XP, do not support any version of TLS. These browsers will not be able to make an https connection to our servers. This is an extremely small portion of internet users – you can check this link for a rough idea, showing usage fall from 0.1% of all users to 0.0% in July of this year.
I don’t believe there will be many complaints regarding these connections being disabled. Providers all over the world are disabling SSL v3, and soon anyone using such an old browser is unlikely to be able to browse much of the secure web.
And a Note About Perfect Forward Secrecy
To add another quick update, we have been rolling out perfect forward secrecy to systems for some time, which further improves https connections. As part of disabling SSL v3, we have finished this rollout, meaning all sites should now validate as having perfect forward secrecy enabled.
Going Forward
We will continue to monitor this situation, and may re-enable SSL v3 if an effective patch is developed for the problem. If you see any issues or complaints regarding secure connections to your site after these changes, please get in touch and we will look into it.