A vulnerability was recently announced by Google, named POODLE, which targets SSLv3 connections. SSLv3 is an older encryption protocol in the SSL/TLS family. Most modern browsers default to newer versions of TLS instead of SSL, e.g., TLSv1.2.
OneLogin defaults to establishing connections with browsers and API clients using TLS encryption, but there is a possible attack vector whereby an attacker could cause browsers to downgrade to SSLv3, rendering them vulnerable.
In response, OneLogin has disabled SSLv3 across our network by default for all customers, effective immediately. This will have no impact on our supported browser configurations (listed here), but some a small minority of our users still use older browsers, such as Internet Explorer 6 running on Windows XP or older. This represents 0.01% of our user base. If you are affected by this change, you will need to configure your browsers to support TLSv1, or upgrade browsers.
We are continuing to track this vulnerability as news breaks. We will update this post as needed, and as we have more information.