Delivery By SSLv3 Has Been Disabled. We’re Not Afraid Of POODLE’s Bark.
October 15, 2014 | Taylor Dondich
Our technical teams have become aware of an SSL vulnerability over the past week which has just been published. This exploit, which targets SSLv3 negotiated secure sessions, allows an attacker to determine the plaintext contents of secure connections. If you want to know the full details of this exploit, review the Security Advisory.
What Have We Done
As a result of this finding, we have temporarily disabled SSLv3 negotiation for secure connections across our content delivery network and our application infrastructure. This also includes Control Panel and API services. Until the appropriate patches have been released and thoroughly tested by our security team, we will continue to have this negotiation disabled.
How Does This Impact You
For SSL negotiation, we support newer and more secure encryption protocols such as TLS 1.2 and all current browsers will negotiate to this protocol automatically. Therefore, the security implications of this exploit concerns older browsers such as Internet Explorer 6.0 on Windows XP. This means your secure traffic will continue to function properly for the vast majority of your audience.
What If You Need Older Browser Support
We do understand that everyone’s audience is different. If you feel you need to support older clients which do not support TLS encryption and understand the potential impact of this security flaw, please contact our customer support. We will evaluate your requirements and determine a course of action to support your clients appropriately.
We will continue to proactively monitor the progression of this SSL vulnerability and keep you informed of our actions. As stated, once the appropriate patches have been released and fully tested, we may re-enable SSLv3 negotiation in the future.