Which SSL Reviews

SSL

Google Chrome to Drop its Support For SSL Version 3.0

November 6, 2014 | By  

Summary

Google Chrome 40 is expected to be launched in two months time, and the tech giant is planning to stop its support for  the aging encryption standard Secure Sockets Layer (SSL) in version 3.0.

A security bug in the design of SSL version 3.0 was discovered by Google’s security research team earlier in October 2014.

The newest security exploit is dubbed as POODLE (Padding Oracle On Downgraded Legacy Encryption). This bug enables a hacker to access personal data such as authentication cookies  from HTTPS connections using SSL version 3.0 encryption.

Chrome To Stop Supporting SSLv3.0

  • Till date, POODLE is the largest data breach found within SSL version 3.0, although it is not the security protocol’s lone weakness. Designed in the mid 1990’s, SSL version 3.0 supports outdated cipher suites that are now considered unsafe when looked from a cryptographic stance.
  • Today, HTTPS connections use Transport Layer Security (TLS) encryption standard across versions 1.0 and 1.2. However, many servers and Web browsers continue to support SSL version 3.0 . Especially, web browsers that need to securely support connections with older Web servers and servers that need to securely support connections with older Web browsers.
  • The effect of POODLE bug is multiplied because a hacker attacking the HTTPS connections can force TLS encryption to downgrade to SSL version 3.0. Security experts are waiting for a long time to see a change, and for the reasons given, it looks like it might happen.
  • According to statistics conducted in October, it was reported that around 98 percent of 150,000 established  HTTPS-enabled sites globally support SSL version 3.0, and TLS versions.
  • Therefore it would be ideal for Web browsers to just drop their support for SSL version 3.0, instead of waiting for the thousands of Web servers to be configured.
  • The POODLE exploit was revealed to the public on October 14, 2014 by Google.
  • The corporate  released a statement that it hopes to remove all support for SSL version 3.0 entirely from its clients products in the coming months.
  • Adam Langley, a security engineer at Google,  stated that in Chrome 40, Google plans to disable SSL version 3.0 completely. He also mentioned the firm was keeping vigil on compatibility problems that may surface. In preparation for this, Google Chrome 39 will display a yellow badge over the padlock icon for SSL version 3.0 websites. These sites should to be updated to at least TLS version 1.0 before Chrome 40 is launched.
  • Chrome 39 is expected to hit the market in another couple of weeks. It will not be supporting SSL version 3.0, and in turn will prevent attacks from downgrading TLS connections, Langley added.
  • Following the release of Chrome 38 on October 7, 2014 and the soon-to-be-released Chrome 39, Chrome 40 is expected to be deployed in the late December. The release dates are based on the Google’s previous history of  following a six-week cycle for major browser versions.
  • Some similar actions will be required to be followed by other Web browser vendors as well. Microsoft has already released a program called ‘Fix It,’ which allows users to disable SSL version 3.0 in Internet Explorer. According to Mozilla, it will be releasing Firefox 34 on November 25, 2014 and, by default, SSL version 3.0 will be disabled in the browser.
Be part of an IT community with thousands of subscribers. Get the latest news, blogs, and thought leadership articles. Subscribe now
Email *

Posted in SSL

Be Sociable, Share!

Leave a Comment


 


* fields are mandatory