20141016 - Poodle : a vulnerability affecting SSLv3 protocol

Discovered by 3 Googlers and revealed yeasterday, Poodle (Padding Oracle on Downgraded Legacy Encryption) is a new security failure making SSLv3 vulnerable to MITM (Man In The Middle) attacks.

SSLv3 is an old encryption protocol barely used these days seeing that is has been replaced by TLS a few years ago. But it still exists and can still be solicited by old browsers (as Internet Explorer 6) or used as a spare wheel should a TLS session failed.

Who is impacted?

This vulnerability only affects clients (not servers) and in particular clients using public WIFI networks.

It allows a hacker to retrieve cookies information to get connected to the victim online accounts.

What should I do?

Disable SSLv3 support on your servers.
Warning though: disable SSLv3 on your machines means you won't be able to establish SSL connections with browsers that are more than 10 years old (IE6 for example).

Useful links

• What are the risks linked to obsolete protocols?


• Disable SSLv2 and SSLv3 under IIS
• Disable SSLv2 and SSLv3 under IIS8.5
• SSLv3: Deactivation on Paypal
• Disable SSLv2 and SSLv3 on Apache
• Disable SSLv2 and SSLv3 on Tomcat
• Install a certificate on Nginx


• Run a test on your websites with CopiBot

• Poodle security advisory 
• SSL3 “POODLE” Vulnerability