Google discovered a new OpenSSL vulnerability and described it on it’s online security blog. This SSL bug is called POODLE (Padding Oracle On downgraded Legacy Encryption). The Poodle attack will allow hackers to steal your browser’s “secure” HTTP cookies and other bearer tokens such as HTTPS Authorization header contents.

The vulnerability is serious, you must bring up to date your systems. Among other things, this ssl vulnerability allows Man-in-the-Middle MITM attacks by forcing a downgrade version of SSL used.

Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.

Source – Google Online Security Blog

1. To secure servers see the methods below:

Fix for Apache Servers:

SSLProtocol All -SSLv2 -SSLv3


SSLProtocol TLSv1

Then check if the new configuration is correct (no typos etc.):

sudo apache2ctl configtest

And restart the server, e.g.

sudo service apache2 restart

Fix for Nginx Servers:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

And restart the server, e.g.

sudo service nginx restart

Fix for HAProxy Servers:

bind :443 ssl crt ciphers no-sslv3

You can find more details regarding methods to secure your web servers or web services on this link.

2. To secure your web browser
Take a look on this website.


You can check your website to see if it’s vulnerable to Poodle or other kinds of SSL vulnerabilities on Qualys SSL Labs website.

The Poodle SSL vulnerability was named CVE-2014-3566 and is detailed here.