Skip to main content
BlogCloud OverviewsPOODLE SSL 3.0 Vulnerability

POODLE SSL 3.0 Vulnerability

Yesterday, Google published the discovery of an SSL 3.0 vulnerability named “POODLE.” This vulnerability allows an attacker to decrypt transferred data and successfully read plain text. While many browsers support newer, more secure protocols, an attacker can create connectivity issues, causing the browser to fall-back to the vulnerable SSL 3.0 protocol.

Is Linode Infrastructure Vulnerable?

We have disabled SSL 3.0 on our web servers, NodeBalancers, and the rest of our infrastructure. Quick execution from our Security Team has protected our infrastructure from this vulnerability.

Am I Vulnerable?

If your Internet-facing Linode allows for encrypted connections you will need to make sure that SSL 3.0 is completely disabled. This doesn’t mean that a stronger protocol such as TLS is offered first but rather that SSL 3.0 should not be an option at all. You can check if you’re vulnerable and how to disable SSL 3.0 using our guide: Disabling SSLv3 for POODLE.


Comments (8)

  1. Author Photo

    Thank you guys for this rapid response.
    I think you should give a handy simple way on how to disable ssl 3.0 or deploy TLS_FALLBACK_SCSV into a server, such as how to change ssl.conf file.

  2. Author Photo

    In response to 水景一页, the Zmap people have put together a great resource:

    https://zmap.io/sslv3/

    There’s a nice cheat sheet for a few of the server-side packages:

    https://zmap.io/sslv3/servers.html

  3. Author Photo

    The post has been updated with our guide on how to check for and then disable SSL 3.0.

  4. Author Photo

    Hi,

    This guy is kindly enough to provide backported dovecot 2.0.9 which has SSlv3 disabled: https://fh.kuehnel.org/doevcot-ssl3/.

  5. Author Photo

    will there be any option in the near future to support SSL3 with TLS_FALLBACK_SCSV?

    IE6 may be dwindling, but it’s still out there in some markets.

  6. Author Photo

    Thank you so Much for Helpful Tips.

  7. Author Photo

    TLS_FALLBACK_SCSV on web server end is only part of the solution as it only works if client web browser end supports TLS_FALLBACK_SCSV https://community.centminmod.com/threads/poodle-attacks-on-sslv3-vulnerability.1651/page-3#post-8351 . So until all web browsers update to support such, SSLv3 should be disabled on server end.

  8. Author Photo

Leave a Reply

Your email address will not be published. Required fields are marked *