Poodle CVE-2014-3566 impacts the SSL protocol functionality. The Poodle vulnerability affects servers running SSL 3.0. It focuses on cipher block chaining (CBC) encryption implementations that can allow attackers with a Man-in-the-Middle (MITM) position to view the content of an encrypted transmission.





10 minutes after the public release by the security researchers Thai Duong and Krzysztof Kotowicz, ActiVPN disabled the SSL3 ciphers on our websites.





Regarding the viability of such an attack on the VPN connection, please note that it requires on making a client log in thousands of times in a short duration, and the attacker must control the number of bytes before the password. Neither of those is possible against any VPN, SMTP, IMAP and POP client (library) I know.





OpenVPN external layers use TLSv1.0, or (with >=2.3.3) optionally TLSv1.2 and is thus not impacted by POODLE.


OpenVPN over SSL, even if your stunnel negotiated with SSL 3.0, the underlying security provided by OpenVPN layers ensures no problems, due to the impracticability of the attack.





But poodle means that the last remnants of SSLv3 support in client libraries is likely to be disabled in the near future, which makes it safe to disable completely SSLv3 in VPN servers.





As a VPN user, there is no need for action from your part.





ActiVPN strives to be the most secure VPN.