Infrastructure

Poodle SSL Exploit

Yesterday, Google published a post that exposes a vulnerability in the design of SSL version 3.0. This flaw is similar to the Heartbleed bug exploited earlier this year but not nearly as serious.


(Photo : greg westfall | Creative Commons)

It’s called POODLE (Padding Oracle On Downgraded Legacy Encryption) and exploits a vulnerability in one of the Internet’s security protocols (SSL or more commonly known as https in your browser) and could potentially give an attacker access to sensitive information.

In order to protect our users from the POODLE vulnerability in SSL, we have disabled support for SSLv3 across our entire platform.

You don’t need to take any action regarding our site or services. This change will prevent attackers from exploiting the vulnerability and keep SSL sessions secure.

The downside to this is that very old systems, starting with Internet Explorer 6.0 on Windows XP, do not support any version of TLS. These browsers will not be able to make an HTTPS connection through our servers.

This is an extremely small portion of Internet users (less than 0.1% of all users) and these users should consider installing an modern browser such as Mozilla Firefox or Google Chrome.

Both browsers support newer SSL standards and are not impacted by this change.

Heartbleed Bug

About Heartbleed

The following is a snippet from heartbleed.com on the Heartbleed bug.

The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

The Heartbleed bug allows anyone on the Internet to read the memory of the systems protected by the vulnerable versions of the OpenSSL software. This compromises the secret keys used to identify the service providers and to encrypt the traffic, the names and passwords of the users and the actual content. This allows attackers to eavesdrop on communications, steal data directly from the services and users and to impersonate services and users.

OneAll is not affected

We are happy to confirm that the SSL version used by the OneAll platform is not affected by this bug. You don’t need to take any action regarding our site or services.

HeartBleed

Infrastructure updated

For the last months our customer base has constantly been growing – thank you very much for having spread the word – and our infrastructure had reached its limits.

We have now moved our servers to a new home to ensure that we will be able to constantly stay abreast of our capacity needs and to give you a better reliability.

The plugins are now loading faster than ever and our new content delivery network will speed up the general page speed.

Please leave us a comment if you encounter any problems.