Nelnet Improving Website Security to Avoid POODLE Vulnerability

Google recently reported a vulnerability in SSLv3, an online security protocol that encrypts a website user’s data to keep it secure. The vulnerability, known as Padding Oracle on Downgraded Legacy Encryption (POODLE), allows attackers to get past this security and access a user’s account without a password.

If no action was taken, POODLE could potentially affect any portion of our websites that requires a login and supports SSLv3, such as online borrower accounts and Nsight Plus. We want to reassure you that Nelnet is quickly taking necessary steps to protect you and your students. Here’s how:

• We have made the decision to stop supporting SSLv3.
• We have notified critical vendors of our decision to stop supporting SSLv3.
• We are identifying all applications that could be affected by POODLE.
• We are finalizing a plan to disable SSLv3 and ensure that more advanced security protocols are supported throughout Nelnet.

Our current timeline for these changes is targeted for November 25, 2014. You and your students will not see anything different when accessing our websites unless you have a very outdated browser (ten years or more). In that case, you will be redirected to a warning page that explains the danger of continuing and recommends upgrading to a more current browser version.

For more information, you can visit:

• The Google Online Security Blog post on the POODLE vulnerability
• The Google Security Advisory on the POODLE vulnerability

If you have further questions, feel free to fill out our contact form.

Kristin Tobias, Communications Coordinator, Nelnet