The POODLE Attack and the End of SSL 3.0


SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information.

We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS).


In late September, a team at Google discovered a serious vulnerability in SSL 3.0 that can be exploited to steal certain confidential information, such as cookies. This vulnerability, known as “POODLE”, is similar to the BEAST attack. By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website.

Any website that supports SSLv3 is vulnerable to POODLE, even if it also supports more recent versions of TLS. In particular, these servers are subject to a downgrade attack, in which the attacker tricks the browser into connecting with SSLv3. This relies on a behavior of browsers called insecure fallback, where browsers attempt to negotiate lower versions of TLS or SSL when connections fail.

Today, Firefox uses SSLv3 for only about 0.3% of HTTPS connections. That’s a small percentage, but due to the size of the Web, it still amounts to millions of transactions per day.


The POODLE attack can be used against any browser or website that supports SSLv3. This affects all current browsers and most websites. As noted above, only 0.3% of transactions actually use SSLv3. Though almost all websites allow connections with SSLv3 to support old browsers, it is rarely used, since there are very few browsers that don’t support newer versions of TLS.

Sites that require SSLv3 will remain vulnerable until they upgrade to a more recent version of TLS. According to measurements conducted by Mozilla and the University of Michigan, approximately 0.42% of the Alexa top million domains have some reliance on SSLv3 (usually due to a subdomain requiring SSLv3).


SSLv3 will be disabled by default in Firefox 34, which will be released on Nov 25. The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3.

As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV. If this is supported by the server, it prevents attacks that rely on insecure fallback.

Additional Precautions

For Firefox users, the simplest way to stay safe is to ensure that Firefox is configured to automatically update. Look under Preferences / Advanced / Update and make sure that “Automatically install updates” is checked.

For users who don’t want to wait till November 25th (when SSLv3 is disabled by default in Firefox 34), we have created the SSL Version Control Firefox extension to disable SSLv3 immediately.

Website operators should evaluate their traffic now and disable SSLv3 as soon as compatibility with legacy clients is no longer required. (The only remaining browser that does not support TLSv1.0 is Internet Explorer 6). We recommend following the intermediate configuration level from Mozilla’s Server Site TLS guidelines.

We realize that many sites still receive traffic from IE6 and cannot disable SSLv3 entirely. Those sites may have to maintain SSLv3 compatibility, and should actively encourage their users to migrate to a more secure browser as soon as possible.

74 responses

  1. RS203 wrote on :

    Hi to all,

    i have one site on my server that uses SSL with a cert installed. Server is a VPS with last version of Cpanel installed.

    Now if i und good, it’s not an issue of server or software installed in that, but only an issue of browsers that support SSLv3 yet, right?

    So i only must wait for the 25 Nov update for FF and do nothing else?

    1. RS203 wrote on :

      In case i must change something on my server, what i have to do?

    2. Daniel Veditz wrote on :

      For a downgrade attack to work both the server and browser need to support SSLv3. If you are a browser user then you want to block SSLv3 in your browser to protect yourself because you might connect to a server which is not yet fixed. If you run a server you want to disable SSLv3 on your server, because most browser users will not have disabled SSLv3.

  2. Kartikaya Gupta wrote on :

    I’m running the latest Firefox Aurora (34.0a2 (2014-10-13)) on OS X, and when I go to it says I’m vulnerable because I have SSL 3.0 enabled. With the addon it doesn’t say that. However if SSLv3 is disabled by default in 34, I shouldn’t be vulnerable even without the addon. Anything I can to do figure out what’s going on?

    1. Daniel Veditz wrote on :

      SSLv3 is not yet disabled in Firefox 34, our announcement was that we plan to do so before we ship in late November. We only landed the change on Aurora today which means it won’t be in an Aurora 35.0a2 build until 2014-10-17 or later:

      We have not yet landed the fix on Beta (which will become Firefox 34), and won’t until we get a few days of user feedback on Aurora to make sure we don’t unexpectedly break something.

      When we release a stable Firefox, as we did with Firefox 33 on Tuesday, it usually takes a few days or a week to get the code changes merged (from Aurora to Beta and Nightly to Aurora) and then tested for stability before we start updating Aurora and Beta again.

  3. Randy wrote on :

    Why isn’t there a way to PLUG IN a new SSL package of some type so that when this happens it’s super easy to upgrade the browser instead of a full upgrade?
    Sometimes the changes to a new browser makes me sick, like when you make it look like a mac GUI I hate that.
    Sometimes you have to upgrade the OS just to upgrade the browser and that is a joke.
    So make the encryption part something you can easily change out.

  4. Torstein Norway wrote on :

    I got a catch 22 using the 33.0 Firefox browser.

    Trying to log into my “wireless Linksys” using https://192.168… don’t work in this version I get the “Error code: sec_error_invalid_key” and since I set “only https” in my LinkSys Tomato firmware it seem I’m now blocked from accessing my wireless admin at all. On top of that I cannot reach the router physically for a “reset”.

    Any chance to temporarily enable “old” SSL3 with I guess “SSLv3 via block ciphers”? as described in Poodlecheck…I get a terrier with “Not vulnerable”. Or what can I do if I cannot use other browsers, no hardware access and no http enabled?

    Thanks a lot for any suggestions team Firefox 🙂

More comments: 1 2