Today news broke that SSL 3.0, the last version before TLS was released, has been thoroughly cracked. The protocol itself was exploited, not just a bug in an implementation. That means that no software which supports SSL3 is safe. Most notable in this class is Internet Explorer 6 and Windows XP. Anyone still using either of those, of course, should have moved off of them long long ago.
This shouldn't come as any sort of surprise. SSL3 has been widely known to be weak for many years. I even mentioned it in my OpenWest presentation last year. That was when I took the opportunity to disable it on all of my TLS servers.
What should you do?
- Test your server and fix any errors such as
- Disable SSL 3.0 support
- Enable HSTS
- Enable forward secrecy
- Use an updated browser, such as Firefox, Chrome or (if you dare) Internet Explorer
That's basically it. While you're at it, get a new SHA256 certificate. That's the next shoe that will drop.