SSL security is based on the SSL/TLS protocol. The protocol has been released as SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS1.1 and TLS 1.2. The first well-deployed version was SSL 3.0. Through the years, the protocol was moved over to the IETF and the TLS versions have been released. SSL 3.0 is an obsolete and insecure protocol; unfortunately, it is still widely deployed on most websites. When a server and a browser negotiate SSL/TLS, they agree on the most secure version of SSL/TLS that each supports. However, the protocol allows the ability to downgrade to work around interoperability bugs. This allows a secure SSL handshake to be downgraded to SSL 3.0. This type of downgrade can be prompted by an attacker. The POODLE attack (Padding Oracle On Downgraded Legacy Encryption) will allow items such as “secure” HTTP cookies or HTTP Authorization header contents to be stolen from downgraded communications. More information on how POODLE works can be found in the Security Advisory prepared by Google. If POODLE is used against SSL 3.0, there is no workaround or corrective action that will mitigate the attack. The only solution is to stop supporting SSL 3.0. Disabling SSL 3.0 can be done either at the server or the client (e.g., browser) side. Most server administrators should consider disabling SSL 3.0. We will also see releases of browsers that no longer support SSL 3.0. Mozilla plans to disable SSL 3.0 in Firefox 34 to be released in November. Google also plans to remove SSL 3.0 from its client products, such as Chrome, in the coming months.