wintersun wrote:
Evidently what was not noticed was that the announcements regarding the vulnerability also stated that SSL 3.0 was used by 0.3% of Firefox HTTPS connections. The reason why it is such a low number is that most people have newer computers running newer versions of Firefox and IE.
The real issue was that the current version of Firefox, and most other major browsers, still supported SSL 3 connections. This made it vulnerable to Poodle type attacks on malicious websites, which attempted to force the browser to fallback to SSL 3. Even though, it currently supported the stronger TLS.
So the 0.3% of Firefox connections using SSL 3 is moot as this likely refers to legit usage. But, by still allowing Firefox, and other browsers to fallback to SSL 3 as an option, left it vulnerable to attack by hacker websites. So the need to disable SSL 3 support regardless as a precaution.
The SSL 3 connection option can be disabled either on the server or client side, or other measures can be implemented on the network side to mitigate the vulnerability issues, such as in an enterprise environment.
