On October 14 a vulnerability in OpenSSL, named POODLE, was announced by Google. Two advisories, CVE-2014-3513 and CVE-2014-3567, describe a vulnerability in OpenSSL implementation of the SSLv3 protocol and another vulnerability that allows a MITM attacker to force protocol downgrade from secure TLS to vulnerable SSLv3.
In response to the POODLE vulnerability, Wealthfront disabled SSLv3 access our websites. For clients using SSLv3 to access our websites, we instead provide links to upgrade their browser.
Further Resources for POODLE Help
We recommend auditing all systems using OpenSSL and upgrading when vendor fixes are available. Here are some resources we found useful in our response to this disclosure:
- CVE-2014-3513 Advisory (reserved with details to be published)
- CVE-2014-3567 Advisory (reserved with details to be published)
- OpenSSL Team Report
- Google Advisory
As always, if you have any questions about the security of your Wealthfront account, contact us at firstname.lastname@example.org. We will continue to monitor this issue as the community and vendors investigate this vulnerability further.