Poodle image via Flickr, CC license
For the last week we've been tracking rumors about a new vulnerability in SSL. This specific vulnerability, which was just announced, targets SSLv3. The vulnerability allows an attacker to add padding to a request in order to then calculate the plaintext of encryption using the SSLv3 protocol. Effectively, this allows an attacker to compromise the encryption when using the SSLv3 protocol. Full details have been published by Google in a paper which dubs the bug POODLE (PDF).
Generally, modern browsers will default to a more modern encryption protocol (e.g., TLSv1.2). However, it's possible for an attacker to simulate conditions in many browsers that will cause them to fall back to SSLv3. The risk from this vulnerability is that if an attacker could force a downgrade to SSLv3 then any traffic exchanged over an encrypted connection using that protocol could be intercepted and read.
In response, CloudFlare has disabled SSLv3 across our network by default for all customers. This will have an impact on some older browsers, resulting in an SSL connection error. The biggest impact is Internet Explorer 6 running on Windows XP or older. To quantify this, we've been tracking SSLv3 usage.
SSLv3 Usage Stats
Across our network, 0.09% of all traffic is SSLv3. For HTTPS traffic, 0.65% across our network uses SSLv3. The good news is most of that traffic is actually attack traffic and some minor crawlers. For real visitor traffic, today 3.12% of CloudFlare's total SSL traffic comes from Windows XP users. Of that, 1.12% Windows XP users connected using SSLv3. In other words, even on an out-of-date operating system, 98.88% Windows XP users connected using TLSv1.0+ — which is not vulnerable to this vulnerability.
Beyond human browser traffic, some crawlers default to SSLv3. The largest crawler we see defaulting to SSLv3 is Pingdom's. [Added Oct 15, 2014: The original statement is true. However, Pingdom's crawler appropriately tests with TLS if SSLv3 is not available, and always has, so there's no impact to availability monitoring. Apologies for any confusion on this point. Original text follows, but their crawler has and does support HTTPS over other protocols.] Pingdom is a CloudFlare partner. We alerted them to this issue and are actively working with them to ensure that their crawler will support HTTPS over a protocol other than SSLv3.
Overriding the Default
Since some of CloudFlare's customers may prioritize broad browser support over the risk posed by this vulnerability, we have enabled an option for Business and Enterprise customer where users can enable SSLv3 if they see errors. You will find this option on the Security Settings page of CloudFlare's control panel within the next 24 hours. Unless you have a specific reason to enable SSLv3, we strongly recommend at this time you leave it disabled.
Going forward, we are studying the vulnerability and believe we may be able to mitigate the risk SSLv3 in such a way to provide support for older browsers while reducing the risk of this vulnerability. Google's BoringSSL fork of OpenSSL has protection against downgrading of SSL connections (see IETF post on Fallback SCSV). We believe this will eliminate the largest risk posed by this vulnerability. While this won't protect IE6 connections, it will protect an attacker from forcing a modern browser to downgrade its SSL connection to SSLv3 and thereby being vulnerable.
We are continuing to track this vulnerability as news breaks. We will update this post as we have more information.