Is your browser Poodle-proof?
On 14 October 2014, Google published the details of an old vulnerability in the design of SSL 3.0, that could allow secure communication to be intercepted plain-text by means of a man-in-the-middle attack. Although SSL 3.0 is nearly 15 years old it’s still used by browsers in SSL fallback methods.
As a result of the vulnerability, new versions of browsers will probably stop supporting SSL 3.0 in the near future. In the meantime, disabling SSL 3.0 support on the webserver will immediately prevent the vulnerability from becoming a problem, but it may cause problems with some older browsers.
Would your browser be affected?
If the second image shows up red, your current browser would have trouble visiting sites without SSL 3.0 support.
(This test has since been removed.)
What are we doing for our customers?
At the moment, we’re deciding which course of action to take is best for our customers. We’re inventorying and testing the implications of changing SSL configurations on different servers and platforms. When connecting to an SSL website, an SSL negotiation takes place between the browser (or other client application) and the webserver (or other front-end service). Due to the nature of the negotiation and number of different possibilities when establishing the connection, it’s difficult to predict what the exact impact of configuration changes will be. We could, of course, simply disable SSL 3.0 on all servers. We want to make sure, however, that the impact to our customers (and theirs) will be as minimal as possible and not cause unpleasant side effects, which is why we’re not making rash decisions and configuration changes.
Our colleague Nick wrote an article on how to disable SSL 3.0 in Apache and Nginx.
Relevant news and updates will be posted on this page.
Update 16 October
We’re updating our shared hosting platforms tomorrow morning. A final list of operating systems and webserver configurations is being finalized for updating dedicated servers and platforms.
Update 17 October
Most updates to servers have been scheduled. We’re informing our customers directly about the date and time.