Poodle SSL Exploit

Yesterday, Google published a post that exposes a vulnerability in the design of SSL version 3.0. This flaw is similar to the Heartbleed bug exploited earlier this year but not nearly as serious.

(Photo : greg westfall | Creative Commons)

It’s called POODLE (Padding Oracle On Downgraded Legacy Encryption) and exploits a vulnerability in one of the Internet’s security protocols (SSL or more commonly known as https in your browser) and could potentially give an attacker access to sensitive information.

In order to protect our users from the POODLE vulnerability in SSL, we have disabled support for SSLv3 across our entire platform.

You don’t need to take any action regarding our site or services. This change will prevent attackers from exploiting the vulnerability and keep SSL sessions secure.

The downside to this is that very old systems, starting with Internet Explorer 6.0 on Windows XP, do not support any version of TLS. These browsers will not be able to make an HTTPS connection through our servers.

This is an extremely small portion of Internet users (less than 0.1% of all users) and these users should consider installing an modern browser such as Mozilla Firefox or Google Chrome.

Both browsers support newer SSL standards and are not impacted by this change.