Yesterday, Google researchers announced a vulnerability in version 3.0 of the SSL protocol. Google’s advanced acronym-generation algorithm dubbed this issue POODLE (for “Padding Oracle On Downgraded Legacy Encryption”).
Even though the SSL 3.0 protocol has been superseded by secure alternatives for at least a decade, most existing operating systems and Internet applications are willing to speak this old dialect for backward compatibility. Unfortunately, this willingness could be exploited by attackers to force modern web browsers and servers to communicate insecurely.
The researchers found that an attacker with control over your network connections (for example, on a public wifi network) could trick your web browser into leaking your personal “cookies.” These cookies could be used to assume your identity on secure web services like Evernote.
Web browser vendors are working to push updates that would mitigate this risk by removing SSL 3.0 support from their software, but it may take months for these changes to trickle out to the majority of Internet users. Until that time, users of any service that still offers SSL 3.0 communications will be vulnerable to attack.
Evernote has determined that the only way to ensure that our users are protected from this vulnerability is to disable SSL 3.0 support on all of our servers so that they will only communicate with secure TLS. This will prevent attackers from tricking your browser into using the insecure protocol and stealing your identity.
Tomorrow morning (October 16th), we will disable SSL 3.0. The majority of Evernote users should not see anything different after the change. Unfortunately, there are two types of users who may have problems connecting to Evernote after SSL 3.0 is disabled.
First, people who access Evernote through extremely old web browsers like Internet Explorer version 7 or earlier may see security errors on www.evernote.com, as well as other sites like Twitter that have made this change. To fix this problem, install a more recent web browser.
Second, people who have installed Evernote on Windows XP may see networking errors during synchronization if they never installed Service Pack 3 and Internet Explorer 8 on their computers. These people should be able to fix the problem by installing Service Pack 3 and Internet Explorer 8 via Windows Update (or from Microsoft’s web sites).
We apologize in advance for the disruption this will cause to users of those old browsers and operating systems, but we feel that this is the best way to protect all Evernote users from attack.
Several people have reported that they can’t connect to Evernote servers from IE or Evernote on Windows computers running version 7 or later. Even though Windows 7 ships with “TLS” support enabled by default, it seems that some people have systems which have this disabled.
If you can’t access secure sites like Evernote and Twitter from IE on your Windows computer, then follow the steps in one of these articles to re-enable “TLS” on your system: