Menu
Google to kill off SSL 3.0 in Chrome 40

Google to kill off SSL 3.0 in Chrome 40

In the meantime, Chrome 39 will no longer support SSL 3.0 fallback for TLS connections

Google plans to remove support for the aging Secure Sockets Layer (SSL) version 3.0 protocol in Google Chrome 40, which is expected to ship in about two months.

The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed "POODLE," the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.

Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol's only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.

HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years -- browsers to support secure connections with old servers and servers to support secure connections with old browsers.

This compatibility-driven situation is one that security experts have long wanted to see change and thanks to POODLE it will finally happen. The flaw's impact is significantly amplified by the fact that attackers who can intercept HTTPS connections can force a downgrade from TLS to SSL 3.0.

Based on an October survey by the SSL Pulse project, 98 percent of the world's most popular 150,000 HTTPS-enabled sites supported SSLv3 in addition to one or more TLS versions. It's therefore easier for browsers to remove their support for SSL 3.0 than to wait for hundred of thousands of web servers to be reconfigured.

On Oct.14, when the POODLE flaw was publicly revealed, Google said that it hopes to remove support for SSL 3.0 completely from its client products in the coming months. Google security engineer Adam Langley provided more details of what that means for Chrome in a post on the Chromium security mailing list Thursday.

According to Langley, Chrome 39, which is currently in beta and will be released in a couple of weeks, will no longer support the SSL 3.0 fallback mechanism, preventing attackers from downgrading TLS connections.

"In Chrome 40, we plan on disabling SSLv3 completely, although we are keeping an eye on compatibility issues that may arise," Langley said. "In preparation for this, Chrome 39 will show a yellow badge over the lock icon for SSLv3 sites. These sites need to be updated to at least TLS 1.0 before Chrome 40 is released."

Google Chrome typically follows a six-week release cycle for major versions. Chrome 38 stable was released on Oct. 7, meaning Chrome 40 will probably arrive towards the end of December.

Other browser vendors have taken a similar course of action in regard to support for SSL 3.0. Microsoft released a FixIt tool Wednesday that allows users to disable SSL 3.0 in Internet Explorer and Mozilla plans to disable SSL 3.0 by default in Firefox 34, which will be released on Nov. 25.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftGoogleonline safetypatchesExploits / vulnerabilitiesMozilla Foundation

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments