@bitfinex,
Any updates on POODLE? I just emptied my account just in case, and checked that SSLv3 is enabled in your site:
$ openssl s_client -connect bitfinex.com:443 -ssl3
[
]
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-RC4-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : SSLv3
[
]
Why is there no statement about this exploit anywhere? You should put something up on the homepage right after it became known.
It is not our policy to announce every bug that we fix. POODLE was fixed the day it came out. Disabling SSLv3 is not an ideal solution, because it introduces compatibility issues, that is why you are still able to see SSLv3 as shown above.
See this blog post, from google, for a more thorough explanation.
http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.htmlMaybe we could introduce a bug fix section or add this information to the page about security? I feel like it will clutter up the announcements section.