10.3 and 3.1 How to Address the SSLv3.0 Vulnerability
Problem
Can we disable SSLv3.0 on our web server and/or how do we address the SSLv3.0 vulenerability?
Solution
This question came in response to the news that a vulnerability was found with SSL 3.0 (POODLE) which essentially makes it obsolete in terms of security.
'Encryption in SSL 3.0 uses either the RC4 stream cipher, or a block cipher in CBC mode. RC4 is well known to have biases, meaning that if the same secret (such as a password or HTTP cookie) is sent over many connections and thus encrypted with many RC4 streams, more and more information about it will leak. ...Unlike with [other] attacks, there is no reasonable workaround. This leaves us with no secure SSL 3.0 cipher suites at all: to achieve secure encryption, SSL 3.0 must be avoided entirely.'
Source:
http://www.techrepublic.com/article/poodle-vulnerability-hastens-the-death-of-ssl-3-0/
Changing your web server security configuration (setting which protocols you allow/disallow SSL to use), is transparent to VSI application end-users. The repercussions of a security configuration change are that depending on the changes made, clientele with older O/S and browser combinations, IE6/XP SP2 or lower for instance, may have difficulty connecting to the site.
Ultimately the choice is up to you, weighing your security priorities against what may be a small subset of your web patrons.