Site24x7 Disabling SSLv3 by 30th November 2014

The Security Flaw

POODLE (Padding Oracle On Downgraded Legacy Encryption) allows an attacker to read information encrypted with this version (SSLv3) of the protocol in plain text using a man-in-the-middle attack.

Man-In-The-Middle Attack

An attacker could downgrade an encrypted TLS session forcing clients to use SSLv3 and then force the browser to execute malicious code. This code sends several requests to a target HTTPS website, where cookies are sent automatically if a previous authenticated session exists. This is a required condition in order to exploit this vulnerability. The attacker could then intercept this HTTPS traffic, and by exploiting a weakness in the CBC block cypher in SSLv3, could decrypt portions of the encrypted traffic (e.g. authentication cookies).

Who Is Affected?

This vulnerability affects any services or clients that make it possible to communicate using SSLv3. This means that any software that implements a fallback mechanism that includes SSLv3 support is vulnerable and can be exploited.

Precautions

Clients should take steps to disable SSLv3 support completely including disabling SSLv3 support as a fallback option and using Transport Layer Service (TLS) while establishing server interaction.

Site24x7 Disabling SSLv3 by 30th November 2014

In light of this security flaw we will be disabling the SSLv3 protocol in our load balancer by 30th November 2014, due to which you may face issues connecting to Site24x7.com using an older browser version or accessing Site24x7 API via SSLv3 protocol.

Following are some resources that could help in disabling SSLv3 for your hosts.

Microsoft Security Advisory 3009008

Apple Support Community - How do I disable SSLv3 in Safari (OSX & iOS)

Redhat Customer Portal - POODLE: SSLv3 vulnerability

Ask Ubuntu – How do I patch/workaround SSLv3 POODLE vulnerability

Please get in touch with support@site24x7.com for further queries.