A few weeks ago some Google researchers published about a security bug within SSL. Their report describes an attack cutely called POODLE ("Padding Oracle On Downgraded Legacy Encryption"). Essentially the vulnerability lets an attacker circumvent SSL protections and intercept and possibly replace data. 

The nice thing, though, is that this vulnerability is only in older versions of SSL, namely the 3.0 version. Newer browsers by default use newer versions of the SSL protocol. Browser vendors are currently working on updates that will disable the SSL 3.0 protocol by default. 

We have taken steps over the last few weeks to update our servers and hardware to protect against this vulnerability. Most visitors to your websites will not notice a change. The only disruption that we've seen is with those using IE8 on Windows XP as that browser/OS combination does not support newer SSL ciphers. It only supports old ciphers that we had to disable in order to fix this vulnerability.  If you visit a secure page with that browser then you will see a message that the page could not be loaded. This isn't unique to our servers. I've tested other vendors who have patched their systems and get the same result. IE 8 on Windows 7 works just fine with secure web pages, as does visiting non-secure ('http' instead of 'https') pages with IE 8 on Windows XP.

If you have any questions about security or about Branch CMS, please do not hesitate to contact us.