The other day, a serious vulnerability (CVE-2014-3566) has been discovered in SSL 3.0. This vulnerability has been commonly called ‘POODLE’.
An attacker can steal sensitive information on the website such as private account data for the user password, cookie, etc. to exploit this vulnerability.
Even if the web server supports a newer version of TLS, it is vulnerable to the POODLE SSL 3.0 case.
If you are using SSL on a site that you are operating in Amimoto AMI, it is recommended that you disable the SSL3.0 support immediately.
- Google Online Security Blog: This POODLE bites: exploiting the SSL 3.0 fallback
- The POODLE Attack and the End of SSL 3.0 | Mozilla Security Blog
Users of Self-Managed Amimoto AMI
In Amimoto AMI, SSL is disabled at initial startup, so you will not be affected by this vulnerability.
However, if you have enabled the SSL on your own, you need to review the setting of ssl_protocols directive in the configuration file of Nginx.
ssl_protocols directive is not set if default SSLv3 TLSv1 TLSv1.1 TLSv1.2, SSL3.0 support.
Please reset to not support SSL 3.0 as follows:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Check this module: ngx_http_ssl_module
Users of Amimoto AMI Managed Hosting
In Amimoto AMI Managed Hosting Plan, it offers the SSL option.
Previously, clients are entitled to choose the SSL setting as a custom plan. In all servers of the Amimoto AMI Managed Hosting, this has been configured to disable the support of SSL 3.0, so the users will not be affected by this vulnerability.