20141016 - Poodle : a vulnerability affecting SSLv3 protocol
Discovered by 3 Googlers and revealed yeasterday, Poodle (Padding Oracle on Downgraded Legacy Encryption) is a new security failure making SSLv3 vulnerable to MITM (Man In The Middle) attacks.
SSLv3 is an old encryption protocol barely used these days seeing that is has been replaced by TLS a few years ago. But it still exists and can still be solicited by old browsers (as Internet Explorer 6) or used as a spare wheel should a TLS session failed.
Who is impacted?
This vulnerability only affects clients (not servers) and in particular clients using public WIFI networks.
It allows a hacker to retrieve cookies information to get connected to the victim online accounts.
What should I do?
Disable SSLv3 support on your servers.
Warning though: disable SSLv3 on your machines means you won't be able to establish SSL connections with browsers that are more than 10 years old (IE6 for example).