SSLv3 'POODLE' CVE-2014-3566

We have taken action due to the discovery of SSLv3 'POODLE' vulnerability (CVE-2014-3566).

Security researchers have been working overtime lately and have discovered a new vulnerability (known as ‘POODLE’) in SSL. This time, it is with the SSLv3 protocol and the flaw has led to the conclusion by the community that SSLv3 is effectively broken and must be disabled. SSLv3 is a relatively old (about 18 years old) protocol and has been superceded by newer protocols (TLS) over the years. TLS is supported by all modern browsers.

Google have announced that they will remove all support for SSLv3 protocol from their Chrome browsers and the people at Mozilla Firefox have followed suit. Apple and Microsoft are sure to follow.

All server operators, including us, have been asked to disable SSLv3, which we have done. This change was effective immediately with no prior notice given due to the nature of the exploit.

This means that IE6 will most likely no longer be able to access any SSL enabled sites that we host, or the vast majority on the internet from today and consequently, IE6 is not supported at all on IE6 is ancient in web terms and a lot has been changed by Microsoft between IE6 and IE11. You should not be running IE6 - please upgrade immediately to a modern browser.

It also means that and API applications may break if your code forces connections to the SSLv3 protocol (which you shouldn’t be doing). If your API connectivity is broken this morning, examine your connection and make sure you are not forcing the protocol to SSLv3. Auto negotiate the protocol or use TLS instead.

As always, our team will always work at keeping you safe.

by Craig Sullivan

16 Oct 2014