Is your browser Poodle-proof?

Is your browser Poodle-proof?

15 October 2014 by in Security

On 14 October 2014, Google published the details of an old vulnerability in the design of SSL 3.0, that could allow secure communication to be intercepted plain-text by means of a man-in-the-middle attack. Although SSL 3.0 is nearly 15 years old it’s still used by browsers in SSL fallback methods.

More information can be found on Google's security blog and The Register.

As a result of the vulnerability, new versions of browsers will probably stop supporting SSL 3.0 in the near future. In the meantime, disabling SSL 3.0 support on the webserver will immediately prevent the vulnerability from becoming a problem, but it may cause problems with some older browsers.

Would your browser be affected?

The test below tells you whether the browser you’re using now would be affected by the removal of server-side SSL 3.0 support (you’ll need to have JavaScript enabled). In other words, whether your browser still has SSL 3.0 enabled but has no support for the newer TLS algorithm.

If the second image shows up red, your current browser would have trouble visiting sites without SSL 3.0 support.

(This test has since been removed.)

What are we doing for our customers?

At the moment, we’re deciding which course of action to take is best for our customers. We’re inventorying and testing the implications of changing SSL configurations on different servers and platforms. When connecting to an SSL website, an SSL negotiation takes place between the browser (or other client application) and the webserver (or other front-end service). Due to the nature of the negotiation and number of different possibilities when establishing the connection, it’s difficult to predict what the exact impact of configuration changes will be. We could, of course, simply disable SSL 3.0 on all servers. We want to make sure, however, that the impact to our customers (and theirs) will be as minimal as possible and not cause unpleasant side effects, which is why we’re not making rash decisions and configuration changes.

Our colleague Nick wrote an article on how to disable SSL 3.0 in Apache and Nginx.

Relevant news and updates will be posted on this page.

Update 16 October
We’re updating our shared hosting platforms tomorrow morning. A final list of operating systems and webserver configurations is being finalized for updating dedicated servers and platforms.

Update 17 October
Most updates to servers have been scheduled. We’re informing our customers directly about the date and time.

Call me back