Often the biggest concern when a security exploit comes out is the time that elapses from when the issue is reported to the time when the manufacturer issues a patch. Will you be targeted in that brief unprotected moment? Can you ensure your customers will be protected if you’re the victim of an exploit?
With all of the security vulnerabilities reported lately, there’s no rest for the weary sysadmin.
The latest vulnerability, nicknamed POODLE, is an issue with SSL (CVE-2014-3566) that allows network attackers to calculate the plaintext of secure connections.
Because it affects only the SSLv3 suite of security ciphers, our Security and Compliance Committee made the decision to disable SSLv3 on all of our public and private web properties. We’ve already completed the process to disable SSLv3 on our public websites, like our client portal or support interface, and will be assisting customers with disabling the cipher suite in their managed load balancers in the coming days.
Due to the advanced age of SSLv3 and the lack of browsers that require such an old protocol, disabling SSLv3 ensures no customer data is subjected to the vulnerability. (The SSLv3 cipher suite was created in 1996 and has since been replaced with newer and better security protocols.)