News hitting the web today is that there is a vulnerability in SSL protocol version 3.0 (SSLv3), dubbed "POODLE". This post will provide you with a summary of need-to-know information.
This can affect all browsers (not just Linux).
How will the vulnerability be patched?
In short, the vulnerability in SSLv3 itself won't be patched but instead major browsers (like linked below) will drop support for SSLv3 in their next releases. This will effectively remove the vulnerability for users of those browsers.
Because the next releases of those browser aren't arriving until weeks from now, various websites are already removing support for SSLv3 from their servers. Both the browser and the website need to support SSLv3 for the vulnerability to affect you, so websites removing this support removes the vulnerability for all their users immediately.
What can/should I do now?
For major browsers you can yourself disable the support for SSLv3, ahead of the next releases of those browser. I recommend that you do so. Doing so will effectively remove the vulnerability for your browser immediately.
Firefox: Install Mozilla's SSL Version Control add-on. This will immediately drop support for SSLv3. Restart your browser afterwards to close any currently open SSL connections. With the release of Firefox 34 at end of November, you can remove this add-on again as Firefox 34 will not include SSLv3 support. (Alternatively, you can go to about:config and set the value of security.tls.version.min to 1. You don't need to install the add-on then.)
Chromium: You need to edit the launcher for Chromium to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/chromium-browser.desktop
Google Chrome: You need to edit the launcher for Google Chrome to include the option "--ssl-version-min=tls1", which would disable SSLv3 support. You can do so by running the following command from the terminal:
sudo sed -ri 's/^(Exec=[^ ]*)(.*)$/\1 --ssl-version-min=tls1\2/' /usr/share/applications/google-chrome.desktop
Programs with embedded browsers, like email clients, may need to have SSLv3 support removed also.
Thunderbird: Click on the application button (icon on the right side of the menu bar) and click on Preferences in the menu that appears. Choose Advanced in the menu bar and on the General tab click on Config Editor. Search for security.tls.version.min and set its value to 1. Restart Thunderbird afterwards to close any currently open SSL connections.
How can I test whether my browser is (still) vulnerable?
You can test whether your browser is vulnerable by visiting
www.poodletest.com/. Note that browsers may cache this website, so if you have visited it before applying one of the above changes please upon visiting the website again (and seeing the same result as before) press Ctrl+F5 to force the browser to bypass the cache.
