21 Nov 14 Vulnerability in SSLv3

Secure connections to web servers have relied on the SSL and TLS protocol suites for years. The recently discovered POODLE attack has demonstrated that SSLv3 is insecure. The ALA team will have disabled SSLv3 on all of our web servers by the end of the day.  We do expect some customer impact from disabling SSLv3. Some older browsers do not support the newer TLS protocol suites or have SSLv3 enabled in their browser settings by their IT departments. Some older browsers trying to reach our websites will error out with a message saying

“This webpage is not available. The webpage might be temporarily down or may have moved permanently to a new web address. Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH.“

To fix this problem, you may have to disable SSLv3 in your browser settings, enable TLS v1.0 in your browser settings, upgrade your browser to the latest version, or contact your IT department if they control your browser installation or settings.