Oct 14 2014
TL:DR – Disable SSL immediately.
As of this morning SSL appears to be dead or at least dying. The POODLE vulnerability in SSL was released last night, basically revealing a vulnerability in the way that SSL v3 uses ciphers and allows an attacker to make a plain-text attack against the encrypted traffic. This makes the third major vulnerability released on the Internet this year and is another warning that this level of vulnerability discovery may be the new shape of things to come.
I’m not going to try to explain POODLE in detail, or give you a nice logo for it. Instead I’ll just point to the better articles on the subject, a couple of which just happen to be written by my teammates at Akamai. I’ll add more as I find them, but this should tell you everything you need to know for now.
- The POODLE bites: Exploiting the SSL 3.0 Fallback – From the discoverers at Google.
- POODLE Attacks on SSLv3 – At Imperial Violet, always a good resource for SSL
- Dancing Poodles – Something for your C-levels
- How Poodle happened – Another good technical description of POODLE.
Update: It’s estimated that SSLv3 accounts for between 1% and 3% of all Internet traffic.
And since there’s not an official logo for it yet, I present …. The Rabid Poodle!