Back to Posts List

Security Notification for SSLv3 POODLE Vulnerability

Share this article





Posted on October 16th, 2014 by Websitepulse in Industry News, WebSitePulse News

SSLv3 POODLE VulnerabilityAs you probably know, a number of news sources, corporations, and the OpenSSL team reported yesterday 14 October 2014 that version 3 of Secure Sockets Layer (SSLv3) is vulnerable at the protocol level. More information about the vulnerability can be found here -  CVE-2014-3566.

To prevent any potential leaks from this vulnerability we have immediately disabled SSLv3 on all our web servers including the API endpoints. Our monitoring agents are not affected by this change and will continue to support SSLv3 for the time being in order to be able to monitor properly servers that do support SSLv3 only. We are urging all customers to disable SSLv3 on hosts interacting with the our services as soon as possible and upgrade to use Transport Layer Service (TLS).

Here are a few samples how to configure your potentially vulnerable services and disable SSLv3.

Apache

Change all SSLProtocol directives in your httpd config to

ALL -SSLv2 -SSLv3

and restart the server.

Nginx

Add/edit the the following text to your server directive

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

If you can't  disable SSL 3.0 entirely,  there is TLS_FALLBACK_SCSV  patch that can help avoid the attack, if both the client and the server support it.

Monitor your SSL certificate

Websitepulse

WebSitePulse is a leading provider of advanced, independent and remote monitoring services that enable clients to increase the efficiency of their mission-critical e-business operations, and to reduce their risk of failed Internet transactions and loss of revenue.

comments powered by Disqus