Which SSL Reviews

SSL

Apple Ditches its Support for SSL 3.0 Following POODLE Attack

November 5, 2014 | By Editor 

Summary

In the wake of POODLE bug, iOS and OS X developers have realized if they want their notifications to reach users, they should support TLS standard now. Apple has started using Transport Layer Security (TLS) from 29 October, 2014. The tech giant switched to SSL’s advanced successor following the disclosure of a flaw that could expose encrypted information.

Apple Dumps SSL version 3.0

  • On October 22, 2014 Apple has announced it will stop its support for the encryption standard Secure Sockets Layer (SSL) version 3.0 for its push notifications services.
  • This move was in response to a security exploit identified as POODLE (Padding Oracle On Downgraded Legacy Encryption) earlier in October in the age-old security protocol.
  • Apple’s decision to drop support for the flawed SSLv 3.0 from its Apple Push Notification service (APNs) is driven by its goal to securely deliver remote notifications to iOS and OS X devices.
  • The firm has officially removed its support for the legacy security protocol in APN, following its OS X fixes released last week designed to resolve the POODLE bug in the SSL 3.0 design.
  • Apple’s developers page has stated that Apple’s developers were prepare for the move, from day one the flaw was discovered by Google. However, this shift will only impact service providers that do not yet support TLS, the advanced security protocol for encrypted communications.
  • Service providers that use only SSL version 3.0 should start supporting TLS as soon as possible in order to ensure APNs  continues to function as expected. Providers supporting both older SSL and newer TLS will not be impacted and need no changes, the developers page added.
  • Just as the name suggests, Apple Push Notification service sends notifications such as customer alerts and badges from application developers to iOS and OS X devices. APNs is responsible for negotiating the transmission from developer to end user.
  • Additionally, it also handles the exchange between certificates and cryptographic key establishing an IP connection that is TLS encrypted in both directions.
  • Earlier this October, Google’s researchers revealed the details of POODLE flaw after finding that known biases in SSL 3.0  allowed hackers to calculate the plaintext of secure IP connections.
  • SSL version 3.0 still remains supported by most Web browsers as a fall back protocol whenever a snag hits while attempting to establish a connection with HTTPS server.
  • Despite being succeeded by multiple TLS versions, the 15-year-old SSL 3.0 seems to have loyal followers across the Web. According to Google researchers, a network hacker can cause  connection failures triggering the use of SSLv3.0 to exploit the weakness.
  • To reduce the intensity of the issue,  providers like Apple and Mozilla would need to disable their support for SSL 3.0 in Safari and Firefox , and their own servers. But Google had warned that doing so would present significant compatibility issues.
  • Hence, Google opted to use a workaround for its Chrome browser and servers to prevent hackers from inducing Web browsers to use SSLv 3.0  preventing TLS downgrades (from 1.2 to 1.1 or 1.0).
  • In order to prepare its developers for the move, Apple announced it has disabled its support for SSLv 3.0 on the communication interface.
  • This enables developers to test in the development environment ensuring push notifications can be securely sent to apps.
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory