Goodbye, SSLv3: Mitigating the POODLE vulnerability
In response to the publication of a security flaw in the design of SSLv3, we have integrated TLS_FALLBACK_SCSV on our hosting platform and mailservers.
The flaw, dubbed POODLE in the announcement by the Google security team, allows a network attacker to force use of a less secure version of the protocol, making it easier to obtain the content of secure connections in plain text.
If for some reason you are not able to upgrade to a modern browser or operation system, you should take steps to protect yourself, such as disabling SSLv3 in your browser.
SSL 3.0 is already an obsolete protocol, so the vast majority of email clients will not notice any difference. However, some very old email clients, operating systems and browsers (Windows XP, IE6) may encounter issues. If you notice any problems connecting to our mailservers, please write to our support team with details.
For those interested in the technical details, there’s some good reading over at Ars Technica (new window).
Note: We considered disabling SSLv3 on connections to mail.gandi.net via IMAP and POP3, but decided not to do so immediately. We will do so in the months to come, after taking steps to minimize the impact it will have on our customers’ services.Tagged in Security