External statement on SSL 3.0 protocol vulnerability and the POODLE attack
The U.S. Computer Emergency Readiness Team (US-CERT), a division of the U.S. Department of Homeland Security (DHS), recently released a security advisory that all systems and applications using Secure Sockets Layer (SSL) 3.0 with cipher-block chaining (CBC) mode ciphers may be vulnerable to an attack. It advised that the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack demonstrates this vulnerability using web browsers and web servers, which is one of the most likely exploitation scenarios. The Google security team that discovered this vulnerability in September 2014 has stated that they do not consider the POODLE attack to be as serious as the Heartbleed or Shellshock attacks.
BD is following the recommendation from US-CERT to disable SSL 3.0 on our hosted web service solutions. This will only affect customers who use outdated web browsers, such as Internet Explorer (IE) 6.0 or older. However, BD previously communicated with customers that the company will no longer support IE 6.0 as of October 1, 2014, so we expect minimal impact to customers.
For any customer using IE, BD recommends following the suggested actions in the Microsoft® advisory instructions or using an alternate web browser that supports the Transport Layer Security (TLS) protocol.
To change the default protocol version to be used for HTTPS requests, Microsoft recommends:
For any customer using Google Chrome or Mozilla Firefox, BD recommends following the suggested actions in Disabling Browser Support for the SSL 3.0 Protocol.
After BD disabled SSL 3.0 on our systems, we can confirm that these customer-facing hosted web service solutions are secure from the SSL 3.0 and POODLE attack vulnerability: