About the “POODLE” SSL security bug

Internet security researchers recently announced an SSL security bug nicknamed POODLE that affects SSL version 3 (“SSLv3”) connections.

The POODLE bug sounds similar to the Heartbleed SSL bug (which is probably why it’s getting so much press), but we should mention that it’s less of a risk: For POODLE to cause a security problem, someone would need to be able to intercept website traffic between a visitor’s older web browser and a secure site to start with — i.e., an attacker would need to have first “tapped” the network traffic to the affected site. That’s not impossible, and is certainly a particular concern for large sites, but it’s a relatively low risk for most sites. This isn’t the first “man-in-the-middle” SSL bug, and probably won’t be the last.

In any case, the impact of this bug is minimized because our servers support something called “TLS_FALLBACK_SCSV”. This prevents the attack with current versions of the Google Chrome browser, even if someone is intercepting all your network traffic. It will also prevent it with forthcoming versions of other major browsers like Firefox.

To completely avoid all risk with older browsers, SSLv3 would need to be disabled. But doing that would prevent anyone with an old browser like Microsoft Internet Explorer 6 from connecting to any SSL customer sites we host, causing connection errors for some visitors. This compatibility issue is why major sites like Google haven’t yet disabled SSLv3, even though Google discovered the bug.

If large sites start disabling SSLv3, we’ll probably do the same, but otherwise, our support for TLS_FALLBACK_SCSV makes sure that using modern browsers offers protection.

Update May 5, 2015: Our customers can now disable SSLv3 on their site using our “My Account” control panel if they wish.