Tonight Google announced a flaw in the design of SSL v3. We have been tracking this issue after we heard whisperings in private security circles last week. Upon disclosure of the details we began remediating immediately.
The vast majority of end users should not experience any issues as a result of the changes we’re making. In fact, Google estimates this change will affect less than 1% of the internet. (The SSL 3.0 protocol is almost 15 years old but has remained in place to support users running older browsers.)
The attack vector for this vulnerability has prerequisites and is very sophisticated. As such, the real world severity is far below the recent Heartbleed & Shellshock vulnerabilities.
Check out Google’s Security blog for details.
If you would like to be 100% protected, you can disable SSLv3 in your browser settings. Information on how to do this in a few popular browsers can be found here.