In order to protect our customers from the recently announced POODLE vulnerability in SSL, we have disabled support for SSLv3 across our entire customer base. This change will prevent attackers from exploiting the vulnerability and keep SSL sessions secure. However, the change will also prevent users of Internet Explorer 6 from connecting to your site via HTTPS.
If your site does not utilize an SSL certificate for day-to-day traffic, you have nothing to worry about. Furthermore, Internet Explorer 6 users will still be able to access your site via HTTP. The only thing they will be prevented from doing is accessing your site via HTTPS.
The vulnerability targets a flaw in the design of the SSLv3 protocol, not in a software implementation of it. This means that the SSLv3 protocol itself contains a design flaw, and isn’t something that can be patched in software. Further details can be found in a paper released by the researchers who discovered the vulnerability.
Using the POODLE vulnerability, an attacker can hijack an encrypted session between a browser and server that supports SSLv3. SSLv3 is a older encryption method, and is primarily used by older web browsers such as the aforementioned Internet Explorer 6.
Customers who utilize Internet Explorer 6 should consider installing an alternative web browser such as Mozilla Firefox (which requires at least Windows XP Service Pack 3) or Google Chrome. Both browsers support newer SSL standards and are not impacted by this change.
Customers who are on Premium & Enterprise plans and wish to maintain support for older browsers should contact support to discuss the options available to them.
Update — October 15th, 12:33am CDT: While the majority of our customers have had SSLv3 disabled, our admin team is still working with a small number of 3rd party vendors to make sure all sites are completely safe. Please know we are doing everything we can to get this sorted as quickly as possible!
Jason Cosper works as the Developer Advocate for WP Engine and helps customers with their security concerns on a daily basis. He spends most of his days getting elbows deep in huge messes and doling out WordPress optimization advice. In his spare time, Cosper enjoys spending time with his wife and very tiny dog, grilling meats, sampling assorted craft beers, writing cranky tweets about the Lakers and brewing coffee.
Thanks for being on top of this!
I have no idea what is happening with regards to this POODLE bug .What does this mean for the ssl we have on our sites? Do we have to do anything?