Attack of the POODLE: Goodbye, SSL 3.0!
Online security is a continuously evolving process, and security protocols are improved and developed continuously to keep your data and communications safe. Having been released some 15 years ago, SSL 3.0 is quite the dinosaur. It has been succeeded by TLS for some time now, but SSL 3.0 compatibility has been widely maintained. In the past few days, Bodo Möller of Google's security team announced that they had discovered a vulnerability in the older SSL 3.0 protocol, codenamed POODLE (or Padding Oracle On Downgraded Legacy Encryption, if you're not into acronyms). This vulnerability allows a hacker to view the plain text contents of secure connections over SSL 3.0.
After making detailed analysis of the traffic that flows through our network, we have decided to remove SSL 3.0 compatibility from our servers altogether. We have since automatically deployed a patch to all our servers which removes SSL 3.0 and means that our servers are no longer vulnerable to POODLE attack (I must admit, not something I had really previously worried about!). This is an appropriate solution, based on our analytics we received a very small fraction of requests over SSL 3.0, less than 0.02%.
Most major web sites and many browsers will also be dropping their support for SSL 3.0 also, and so it will soon become confined to Internet history. Sometimes it's kinder to say goodbye, rather than continue to support outdated technologies. So it is with fond memories and many thanks for it's sterling work for the past decade and a half, that we must bid goodbye to SSL 3.0, because that POODLE's got BITE!