Written by Steve Falla   
Thursday, 16 October 2014 11:16

SSLv3 POODLE Vulnerability

Another month and another security vulnerability has hit the Internet. This time the vulnerability in question is SSLv3 POODLE, which could allow attackers to downgrade an encrypted communication with a web server and steal information such as cookies.
The recommended action to protect against any possible threat is that server owners should disable all communication using the old and dated SSLv3 protocol, and that users should ensure they are on the latest version of their preferred browser or turn off SSLv3 protocol in the options.

We have already performed an analysis of our infrastructure and like many other companies running secure servers on the Internet, we have now disabled any communication using SSLv3. All secure communication will now require the use of the TLS protocol.

What does this mean to you the user? 
Well, as long as you have a modern browser, not a lot. Websites all over the world will be gradually switching off support for SSLv3 and insisting on TLS. This will mean that any old browsers will no longer be able to use those websites. 

How old does a browser need to be for it to be affected? 
If you are still running Internet Explorer 6, or you have Windows XP without Service Pack 3, you will be affected as there is no support for TLS. However, considering the number of security vulnerabilities found in these versions, and the number of notices asking users to move away from these versions, this should not affect many users.

What other issues will I encounter because of this change? 
A side issue is that because many website administrators will be turning off SSLv3, they will now be insisting on a version of TLS, and we are starting to hear from some Product Providers that they will be insisting on the very latest version, TLS v1.2.
This version is supported in most browsers, but only enabled by default in the latest. For example, you would need Internet Explorer 11 on Windows 7 or Windows 8.1, for it to be turned on by default. Anything older will not be turned on, and your connection with the provider will be denied.
This will affect all connections to Provider extranets and many real time valuations.

What happens now? 
So, even though the main responsibility of this vulnerability falls on server administrators to turn off SSLv3, many users of secure sites will now need to ensure that they are on the latest version of browsers, possibly turn on TLS support, and maybe even turn off support for SSLv3.

The site below will guide you through turning off support for SSLv3 from within your specific browser. While you are in the options page, you should be able to see how to enable TLS 1.0 through TLS 1.2 as well.

  
Disabling SSLv3 Support in Browsers 

As always, we encourage you to seek similar assurances from other services that you use, specifically any financial services, product providers etc that you rely on and any cloud based backup or hosted services you may be using.

If you have any questions, please feel free to contact our technical support at 
This e-mail address is being protected from spambots. You need JavaScript enabled to view it