TL;DR:
We are disabling the support of SSLv3 in front of our platform the Friday, 24th October. CBC has already been disabled, mitigating the issue.
The secure web is not for Internet Explorer 6 anymore.
Say hello to the POODLE
POODLE is the codename of a new vulnerability disclosed by Google earlier this week. This vulnerability is not related to a specific software but to a whole protocol: SSLv3.
In few words this vulnerability gives the ability to an attacker to force a client downgrading the protocol version and the cipher suite used to talk to a secure server even if it is compatible with the most recent and secure one. After that the attacker will be able to perform a Padding Oracles attack to decipher the communication.
Does Clever Cloud POODLE?
The most efficient way to prevent this attack on the server-side is to remove the support of the SSL version 3. Removing this version will block some users like Internet Explorer 6 -which is not compatible with the newest protocol TLS- and very old devices.
Even if it is a good pretext to end the very long life of Internet Explorer 6, we prefer to check the impact on our customers before applying this update.
We are planning to disable the support of SSLv3 in front of our platform the Friday, 24th October. If you are a SSL customer and want to keep it, let us know by sending an email to our support.
Disabling SSLv3 is not the only way to mitigate this issue. After the downgrade dance, the most vulnerable cipher suite is CBC and… good news, this cipher was disabled widely on our platform earlier this year!
We are also deploying a patch to support a new cipher suite flag which tells to a server to reject any inappropriate fallback from a client.