Time to Say Goodbye to SSL Version 3.0


It is no secret that securing your client’s data is an ongoing process and not something that you can simply install on a server/platform. That is why security solutions and protocols evolve all the time and developers frequently release new versions. The two cryptographic protocols that provide communication security over the Internet are TLS and SSL. The latest version of Secure Sockets Layer (SSL version 3.0) is the predecessor of TLS and is nearly 15 years old. So it was only a matter of time for someone to find the next big issue related to the SSL protocol. Yesterday Bodo Möller from the Google Security Team wrote a blog post about a new vulnerability in the design of SSL version 3.0. The vulnerability allows attackers to calculate the plain text of secure connections.

Possible Fixes:

There are two ways to protect yourself. The first and best way to mitigate this problem is to completely disable SSL version 3.0 on all of your servers and also remove SSL 3.0 support from all client products. For example, Google officially announced in the same blog post that in the coming months they will remove SSL version 3.0 support from all of their client products (including the Google Chrome browser). Cloudflare and Sucuri already stopped supporting it. All other major browsers will also disable SSLv3 by default (Firefox version 34 will be released on Nov 25).

The second solution is to support TLS_FALLBACK_SCSV. This is a solution which prevents attackers from tricking browsers to use the old SSLv3 protocol instead of the TLS protocol. However, this solution is difficult to implement (many people will need to manually compile custom version of openssl) and it is only a new patch which solves this issue but does not provide any guarantees that SSLv3 won’t become vulnerable again a week from now.

Our Solution:

Based on a detailed analysis of our network and the traffic towards our servers we decided to completely remove SSL version 3.0 support. As a matter of fact, a big portion of our servers have already been configured to support only the TLS encryption protocol and we’re in the process of reconfiguring all machines that are part of our infrastructure.

Possible Issues:

We know that some web applications still use SSLv3. Let’s say that for example a developer has decided to configure his/her PHP app to use SSLv3 via the CURLOPT_SSLVERSION option. Unfortunately, if such application connects to our servers, the connection will not be established and the developer will need to patch the code of the app. Our analysis shows that less than 0.05% of all traffic towards our servers is SSLv3. Thus, we do not expect such issues to occur, but we still encourage our customers to contact us via our Helpdesk if they notice any SSL-related issues.

Access email sent!

Sign Up For
More Awesome Content!

Subscribe to receive our monthly newsletters with the latest helpful content and offers from SiteGround.


Please check your email to confirm your subscription.

author avatar

Daniel Kanchev

Director Product Development

Daniel is responsible for bringing new products to life at SiteGround. This involves handling all types of tasks and communication across multiple teams. Enthusiastic about technology, user experience, security and performance, you can never be bored hanging around him. Also an occasional conference speaker and travel addict.

Comments ( 6 )

author avatar


Oct 18, 2014

Thanks for being awesome SiteGround :) Keep up the great work on proactive security! Aloha

author avatar

Rod Warrix

Oct 20, 2014

I'd like to also thank you for posting this. I did not see or hear anything before seeing it here and it's good to know that these security vulnerabilities are out there and active and helps to find the solution to our personal or business websites hosted with Siteground even thou you have got the best secured hosting around with lots of understandable features to offer us all to help us keep our sites optimized, clean and secure. I have not had really one problem in like the three years with you! Great support and team efforts making hosting with you easy and simple. Thanks a lot.

author avatar

Gert Steenssens

Oct 21, 2014

Hi, Glad to hear that. which i guess is also the reason why the siteground control panel is now *not* defaulting to RC4 anymore, good thing it got dropped with this change... a thing cryptographers have been recommending for some time (http://blog.cryptographyengineering.com/2013/03/attack-of-week-rc4-is-kind-of-broken-in.html) also, how do I force the control panel to now use AES instead of 3DES (ew) ?

author avatar

Sandra Moser

Oct 25, 2015

I have a old pc a xp , what can i do so i can still use it ?

author avatar

Marina Yordanova Siteground Team

Oct 27, 2015

If you have an older version of Windows, such as Windows XP, make sure it is at least patched with SP3 to be able to access sites with SSLv3 disabled.

author avatar

Shahar Bahasi

Jun 02, 2016

Thank you for simplifying


Start discussion

Related Posts