Poodlebleed is a vulnerability in SSL version 3.0's implementation. The acronym Poodle stands for Padding Oracle On Downgraded Legacy Encryption. Secure connections can be decrypted to plaintext due to the vulnerability. Bodo Moller of the Google Security Team, in partnership with Thai Duong and Krzysztof Kotowicz, found the flaw.
Although SSL 3.0 is nearly 15 years old, many servers and web browsers continue to utilise it. When web browsers are unable to establish a connection using a later SSL version (TLS 1.0, 1.1, or 1.2), they may fall back to SSL 3.0. Here is when the difficulty begins.
A network attacker who can create connection failures, including the failure of TLS 1.0/1.1/1.2 connections, can compel the usage of SSL 3.0 and exploit the poodle bug to decode secure content transferred between a server and a browser. For specifics on what the poodlebleed bug is, please refer to the PDF notification listed under Resources.
Clients and Web Browsers
For optimal client-end browser security, it is suggested to disable SSL 3.0 entirely. This vulnerability can be mitigated by disabling SSL 3.0 support or CBC-mode cyphers with SSL 3.0; however, this poses substantial compatibility issues for servers running older encryption protocols. The suggested response is therefore support for TLS FALLBACK SCSV. In the future months, most major browsers will implement TLS FALLBACK SCSV. You can protect yourself till then by removing SSL 3.0 support in your web browser.
This may be accomplished in Firefox by navigating to about:config and configuring security and setting tls.version.min to 1
This Qualys, Inc. browser test provides more information on the TLS and SSL techniques supported by your browser. If your browser currently supports SSL 3.0 or SSL 2.0 but does not enable TLS FALLBACK SCSV, you are susceptible to the poodle flaw and should either upgrade to Google Chrome or disable SSL 2/3 support. Currently, only Google Chrome version 33.0.1750 (February 2014 Build) and later supports TLS FALLBACK SCSV; it is recommended that all other web browsers disable SSL 3.0.
This form can be used to determine whether your server supports SSL 3.0. Although disabling SSL 3.0 may result in failed connections to your SSL service for a small percentage of users with older browsers, this measure prevents the majority of current browsers from being snooped on when attempting to access your secure services. Here is an excellent resource for disabling SSL 3.0 on your Apache or nginx-based server.
Online POODLE test: SSL-Tools.net