Researchers at Google has discover a new attack on the SSLv3 protocol, which takes advantage of an issue with the protocol that enables a network attacker to recover the plain text communications of the victim.
The attack is known as POODLE. The technique takes advantage of the fact that when a secure communication attempts fails, servers will fall back to older protocols such as SSLv3, in an attempt to continue communication with the remote client/server. An attacker who can trigger a connection failure can then force the use of SSLv3 and attempt the attack.
The easiest fix for the attack is to disable SSLv3, but that has compatibility implications for browsers especially older ones. Recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevent attackers from inducing browsers to use SSLv3. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0.
This new attacks affects a wide range of software, including OpenSSL.
Firefox is planning to turn of SSLv3. As per firefox updates there is only 0.3% of https uses SSLv3. An SSLv3 will be disabled by default in Firefox34 which is expected to release on Nov 25.