Take care. This article is likely outdated.


The poodle bite

tl;dr We've disabled legacy support for the 18 year old SSL v3 protocol on our SSL Add-On and the free SSL endpoint on App URLs. There is no action required from your side if you are a fortrabbit customer.

Yesterday, yet another SSL vulnerability has been discovered by three Google researchers. This one got the neat name POODLE (Padding Oracle On Downgraded Legacy Encryption) and allows man-in-the-middle attacks on secure connections which can lead to exposing sensitive data such as HTTP session cookies. The only safe way to mitigate those attacks is to disable the SSLv3 protocol either on client or on server or on both sides. Since clients do not (often) have control (or knowledge) of their used encryption protocols the deactivation on server side is the best approach. This is what we did today for all free SSL certificates and SSL AddOns.

The downside of this measurement is that very old clients (yes, IE6 strikes again from beyond the oh-so-earned grave) are not capable of using up2date protocols like TLS v1.0 - 1.2 and cannot connect to servers providing only these. However, those clients are increasingly rare and from our platform statistics basically non-existent. If you want to make sure you won't suffer from the omissions of a lazy admin when browsing the interwebs: here is an exhaustive guide on disabling SSLv3 for your browser. Or you can use an online check tool to verify that the site you are using is secured.

Further reading

Share & discuss this: