Maintaining Your Web Security: Yottaa’s Response to POODLE
It seems the frequency of website security exploits across the Internet has exploded in recent months. The most recent exploit is known as Padding Oracle On Downgraded Legacy Encryption, or P.O.O.D.L.E.
Cute name aside (it doesn’t sound nearly as sinister as Heartbleed or Bashpocalypse, does it?), this is a serious vulnerability in the design of SSL version 3.0 that allows the plain text of secure connections to be calculated by a network attacker.
For extensive background information, see this excellent blog post from Symantec. Yottaa has performed a comprehensive assessment of our global infrastructure and implemented a remediation plan to eliminate the exploit.
What is SSL 3.0 anyway?
SSL 3.0 is a legacy implementation that is nearly 18 years old, and mostly (not only) relevant to Windows XP users on Internet Explorer 6, or software that relies on Java v6. Nearly all browsers support SSL 3.0 however, using it to avoid bugs in HTTPS servers by retrying failed connections with older protocol versions. This is precisely how an attacker would exploit the vulnerability ? by causing a connection failure that would trigger the end user?s browser to use SSL 3.0.
Yottaa is disabling SSL 3.0 support. In order to ensure the lowest possible impact Yottaa Client Services and Support have been in contact with our customers. We have assessed their traffic and website security challenges and determined that the impact should be minimal.
Unencrypted (HTTP) traffic will be unaffected; this change will only potentially impact encrypted (HTTPS) pages, and then only for users with severely outdated, unsupported, legacy browsers. If your end users are not able to access encrypted pages as a result of this change, we recommend you to strongly encourage they upgrade their browser.
If you have specific questions or concerns about your website protection, please contact Yottaa Support.