SSL3 is one of the ways web sites encrypt data. It has theoretically been superseded by TLS, but in fact is still widely used.

Now researchers at Google have demonstrated that SSL3 encryption can be made to reveal supposedly secure information. The name they’ve given to the new attack is POODLE, an acronym for Padding Oracle On Downgraded Legacy Encryption. In any case, this technique has been verified, and now the race is on to mitigate the vulnerability of browsers and web servers worldwide. If you run a web server, and it supports SSL3, you should disable SSL3 as soon as possible.

A post on Microsoft’s MSRC security blog provides a brief overview of the problem from their perspective and points to security advisory 3009008. The advisory provides instructions for disabling SSL3 in Internet Explorer.

Anyone still using Internet Explorer 6 (why?) is going to have difficulty accessing secure web sites from this point forward, because IE6 requires SSL3 for secure web browsing, and web servers are now busily having SSL3 disabled.

More information:

• Duo Security – POODLE: A Critical Vulnerability in the SSL 3.0 Protocol
• Mozilla – The POODLE Attack and the End of SSL 3.0

Update 2014Dec11: A new variant of the POODLE attack targets TLS and apparently affects up to 10% of the world’s servers. Brian Krebs has more.

Update 2015Jan12: One of the SANS handlers posted a followup that looks in detail at assessing the actual risk of a POODLE attack. It turns out that the risk is actually fairly low.