We have been following the recently discovered vulnerability known by CVE-2014-3566 (popularly referred to as POODLE). This specific vulnerability has affected the SSLv3 protocol which is supported by most Nexcess servers. SSLv3 (also known as SSL 3.0), is an old and outdated Internet cryptographic protocol that was designed to ensure secure connections for various services including HTTPS. While more modern protocols such as Transport Layer Security (TLS) have generally replaced it, SSLv3 has remained available on most systems to allow fallback compatibility to older legacy software.
POODLE itself is a man-in-the-middle type of attack. This type of attack is difficult to exploit and we have seen no cases or evidence of it affecting any of our systems. Regardless, we have chosen to disable SSLv3 on all of our systems within the coming few weeks. Unfortunately, this necessary step may cause compatibility problems to users using old browsers (specifically Internet Explorer 6 on Windows XP). Any clients using IE6 attempting to connect to a site with SSLv3 disabled will not be able to do so.