Hi Some of you have probably seen this: http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploitin... As we have mandated use of TLS 1.0 (which is the successor to SSLv3), an NSI implementation should not be vulnerable. *** If you are responsible for an NSI implementation, please double check that SSLv3 is not allowed (the default contexts often allow this). *** AFAICT even NSI agents supporting SSLv3 are not vulnerable to the attack as we authenticate the client and do not use HTTP session keys (the POODLE attack uses single-byte leaking to grab a session key by inserting requests into a unencrypted side-channel and reusing it in a new session). Further, there is some rumor mongering concerning TLS 1.0/1.1 being disabled some places. These two have a lot of similarity to SSlv3, but are NOT vulnerable to the same attack. While I don't think they can be vulnarable to a similar attack (but I am not really qualified to guess), a lot of clever people will be looking into creating variants of this attack in the next months. So consider supporting TLS 1.2 sooner rather than later. Best regards, Henrik Henrik Thostrup Jensen <htj at nordu.net> Software Developer, NORDUnet