As mentioned on Atlassian’s main blog, we’ve decided to end SSL 3.0 support on bitbucket.org in the wake of the newly-published POODLE exploit. Once all the facts were in, the choice was easy, and we acted quickly to address the issue. As our customer, though, you should know why we did what we did.
In the POODLE exploit, a well-placed attacker can trick each end of an SSL transaction into downgrading to an older, insecure, cipher. Once the connection is established, the attacker can become man-in-the-middle and compromise the data going back and forth between server and client.
The exploit relies on both ends’ willingness to communicate over SSL 3.0. If just one end of the transaction is unwilling to cooperate, then the attack fails altogether. Some older browsers or Git/Mercurial clients may not be able to use the newer TLS standard, though – so why did we choose to disable SSL 3.0 outright?
- It’s the recommended solution to the problem. Möller’s paper describing the exploit goes into further detail here, especially regarding flaws in CBC block cipher padding, but the gist is that SSL 3.0 can no longer be trusted as an encryption mechanism; it’s fundamentally flawed, and it will not be fixed. The optimal solution is to disable SSL 3.0 on our end and force everyone to use some flavor of TLS instead.
- It has minimal impact on our users. All of the browsers we support can handle the newer TLS encryption standard, as can most of the Git and Mercurial clients that communicate with our servers over HTTPS, and the change has no effect whatsoever on SSH connections.
- It protects all of our users – even the ones whose stuff breaks because of it. We want to ensure that all of our users’ HTTPS sessions are unaffected by POODLE, so we’ve done the most effective thing to protect Bitbucket traffic from that particular attack (and a few others). We can’t protect our users from other sites, though, so if this change breaks your browser or client then (unfortunately) you need to upgrade ASAP.
The safety and security of your data are our #1 priority, so this change is effective immediately. If you need further assistance, then please contact us at support.atlassian.com.
P.S. If you’d like more background on SSL, Wikipedia has an excellent article.