There's a new SSL/TLS problem being announced today and it's likely to affect some of the most popular web sites in the world, owing largely to the popularity of F5 load balancers and the fact that these devices are impacted. There are other devices known to be affected, and it's possible that the same flaw is present in some SSL/TLS stacks. We will learn more in the following days.
If you want to stop reading here, take these steps: 1) check your web site using the SSL Labs test; 2) if vulnerable, apply the patch provided by your vendor. As problems go, this one should be easy to fix.
Today's announcement is actually about the POODLE attack (disclosed two months ago, in October) repurposed to attack TLS. If you recall, SSL 3 doesn't require its padding to be in any particular format (except for the last byte, the length), opening itself to attacks by active network attackers. However, even though TLS is very strict about how its padding is formatted, it turns out that some TLS implementations omit to check the padding structure after decryption. Such implementations are vulnerable to the POODLE attack even with TLS.
According to our most recent SSL Pulse scan (which hasn't been published yet), about 10% of the servers are vulnerable to the POODLE attack against TLS.
I'll keep my blog post updated as new information is available: