The POODLE Vulnerability - What It Is and How To Protect Yourself
On the morning of 15th October we turned off SSLv3 support on the CCNow platform because of a potential new security exploit called 'POODLE'.
'POODLE' affects SSLv3 (version 3) of the Secure Sockets Layer protocol, used to encrypt communications between a browser and a web site (or between a user’s email client and mail server). It’s not as serious as the recent 'Heartbleed' and 'Shellshock' vulnerabilities, but POODLE could allow an attacker to hijack and decrypt the session cookie that identifies you to a service like Twitter or Google, and then take over your accounts without needing your password.
If 'Heartbleed' and 'Shellshock' (both of which we patched on our systems swiftly) were a 10 on the threat scale, then 'POODLE' is probably a 5.
In general you can rely on websites to do the responsible thing to protect you, and disable SSLv3 at their end (as CCNow and many other sites have already done). Browser developers are already working on new releases that will remove SSLv3 support transparently; you should be protected automatically in the near future as those new browser releases are pushed out. If you are concerned however, you can read here how to disable SSLv3 in your browser now.
Internet Explorer 6 users are a special case. (You probably aren't reading this article if you use IE 6 because CCNow only supports IE 7 and above, but if you know someone who has IE 6 and won't or can't upgrade, here is a guide on how to enable TLS v1.0 and disable SSL v2 and SSL v3 in Internet Explorer 6 (300Kb PDF).