OneLogin puts POODLE to bed

October 15th, 2014   /     /   smarter identity

Google recently announced a new vulnerability called POODLE. It targets SSLv3 connections and is an older encryption protocol in the SSL/TLS family. Most modern browsers default to newer versions of TLS instead of SSL, e.g., TLSv1.2.

OneLogin defaults to establishing connections with browsers and API clients using TLS encryption, but there is a possible attack vector whereby an attacker could cause browsers to downgrade to SSLv3, rendering them vulnerable.

In response, on Tuesday evening, October 14, 2014, OneLogin has disabled SSLv3 across our network by default for all customers, effective immediately. This will have no impact on our supported browser configurations (listed here), but a minority of our users may still use older browsers, such as Internet Explorer 6 running on Windows XP or older. Our data shows that this represents ~0.01% of our user base. If you are affected by this change, you will need to configure your browsers to support TLSv1, or upgrade your browser(s).

OneLogin continues to track this vulnerability. As news breaks, we will update our related post.

About the Author

Robert Berlin is the Director, Product Marketing at OneLogin, where he is responsible for content creation and marketing programs. His background includes over 25 years in product management, product marketing and business development in the computing, cloud and networking industries with Cisco, VCE and Fortinet. He holds a MBA from Pepperdine University.

View all posts by Robert Berlin