Last week, a vulnerability was publicly announced in the SSLv3 protocol by Google engineers. The vulnerability can make it easier for an attacker to access de-crypted sensitive data using a Man In The Middle (MITM) attack. In most situations, this is not an immediate concern because a MITM attack requires an attacker to already have a particularly high level of access to a victim’s Internet traffic such as through a compromised computer or network device. More information about this vulnerability can be found here:
- US National Vulnerability Database: CVE-2014-3566
- Google’s blog post, which contains a link to an in-depth technical paper
Fortunately, the SSLv3 protocol in this vulnerability has largely been superceded by newer TLS protocols which are NOT susceptible to this vulnerability. It is estimated that less than 1% of Internet users are using the SSLv3 protocol.
An important twist to this issue is that attackers may be able to force modern web browsers to downgrade their connection from a more secure TLS to SSLv3 protocol through the browser’s fallback compatibility. Earlier this year, the TLS_FALLBACK_SCSV mechanism was developed in order to enhance security by preventing a modern web servers and browsers from downgrading to the less secure SSLv3 protocol. However, TLS_FALLBACK_SCSV had not yet been widely implemented on web servers.
What does this mean for our customers?
For customers on our managed cloud, VPS and dedicated servers: We have patched all managed servers to include the TLS_FALLBACK_SCSV mechanism, which largely negates the impact of POODLE. For an additional level of security, we can also disable SSLv3 protocol on your server. However, disabling SSLv3 may cause problems with some users not being able to access SSL-protected services on your server (web and/or email access). Please open a support ticket if you would like us to disable SSLv3 on your server, or to discuss this issue.
For customers on our self-managed servers: We recommend implementing TLS_FALLBACK_SCSV and to also consider disabling SSLv3. For more information, see: