Date Published
Oct. 14, 2014
Matthew Prince
Word count
Hacker News points


A new vulnerability in SSL called POODLE has been discovered, which targets the SSLv3 protocol and allows an attacker to compromise encryption. CloudFlare has disabled SSLv3 across its network by default for all customers, impacting some older browsers like Internet Explorer 6 on Windows XP or older. The company is working with partners to ensure support for HTTPS over other protocols than SSLv3. An option to enable SSLv3 is available for Business and Enterprise customers who prioritize broad browser support over the risk posed by this vulnerability, but it's recommended to leave it disabled unless there's a specific reason to enable it. Google's BoringSSL fork of OpenSSL may provide protection against downgrading SSL connections, mitigating the largest risk posed by this vulnerability.