The Poodle bug and why it matters to IBM Domino.

In October, Google researchers discovered a bug in SSLv3 and it’s been named the Poodle bug; if you’re interested it stands for “Padding Oracle On Downgraded Legacy Encryption”.

SSLv3 is an 18 year old encryption method that is used to transfer secure information over the internet however it’s been estimated that only about 1% of secure internet traffic uses this method as it’s been mostly superseded by TLS, or Transport Layer Security. For this reason, three of the most popular browsers have decided to stop supporting SSLv3.

From 25th November, firefox 34 will be released which disables SSLv3 by default. (Reference)
Microsoft have released a fix which disables SSLv3 in Internet Explorer (Reference)
In the upcoming release of Google Chrome 39, SSLv3 is disabled by default (Reference)

The reason it matters to Domino is that SSLv3 is embedded into the server software and can’t be turned off. This wouldn’t matter if Domino supported TLS but it doesn’t, which means if you want to use encryption over the internet with Domino you’re going to have to do something about it. As browsers tend to be set to update themselves automatically, this can’t be ignored.

Fortunately, IBM have now released fixes for Domino 8.5 and 9 here.

In addition to this, Google has also announced it’s intention to remove support for SHA-1 certificates. (Reference). These certificates are also part of the Domino SSLv3 defaults. They’re not going to just stop using them, instead depending on the age of them, they’re going to display a warning triangle next to the https bit in the address or a red cross.

Once again IBM have announced a fix, however it’s going to be in Domino 9 only. What better reason do you need to upgrade?