Menu
Google to kill off SSL 3.0 in Chrome 40

Google to kill off SSL 3.0 in Chrome 40

In the meantime, Chrome 39 will no longer support SSL 3.0 fallback for TLS connections

Google plans to remove support for the aging Secure Sockets Layer (SSL) version 3.0 protocol in Google Chrome 40, which is expected to ship in about two months.

The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed "POODLE," the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.

Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol's only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.

HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years -- browsers to support secure connections with old servers and servers to support secure connections with old browsers.

This compatibility-driven situation is one that security experts have long wanted to see change and thanks to POODLE it will finally happen. The flaw's impact is significantly amplified by the fact that attackers who can intercept HTTPS connections can force a downgrade from TLS to SSL 3.0.

Based on an October survey by the SSL Pulse project, 98 percent of the world's most popular 150,000 HTTPS-enabled sites supported SSLv3 in addition to one or more TLS versions. It's therefore easier for browsers to remove their support for SSL 3.0 than to wait for hundred of thousands of web servers to be reconfigured.

On Oct.14, when the POODLE flaw was publicly revealed, Google said that it hopes to remove support for SSL 3.0 completely from its client products in the coming months. Google security engineer Adam Langley provided more details of what that means for Chrome in a post on the Chromium security mailing list Thursday.

According to Langley, Chrome 39, which is currently in beta and will be released in a couple of weeks, will no longer support the SSL 3.0 fallback mechanism, preventing attackers from downgrading TLS connections.

"In Chrome 40, we plan on disabling SSLv3 completely, although we are keeping an eye on compatibility issues that may arise," Langley said. "In preparation for this, Chrome 39 will show a yellow badge over the lock icon for SSLv3 sites. These sites need to be updated to at least TLS 1.0 before Chrome 40 is released."

Google Chrome typically follows a six-week release cycle for major versions. Chrome 38 stable was released on Oct. 7, meaning Chrome 40 will probably arrive towards the end of December.

Other browser vendors have taken a similar course of action in regard to support for SSL 3.0. Microsoft released a FixIt tool Wednesday that allows users to disable SSL 3.0 in Internet Explorer and Mozilla plans to disable SSL 3.0 by default in Firefox 34, which will be released on Nov. 25.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags MicrosoftGoogleonline safetypatchesExploits / vulnerabilitiesMozilla Foundation

Featured

Slideshows

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA

Reseller News has honoured the leading female front runners of the New Zealand ICT industry at the 2019 Women in ICT Awards (WIICTA) in Auckland. The awards recognised standout individuals across six categories, spanning Entrepreneur, Rising Star, Shining Star, Community, Technical and Achievement. Photos by Gino Demeer.

Leading female front runners of the Kiwi ICT industry honoured at 2019 WIICTA
Reseller News kicks off awards season in 2019 with Judges' Lunch

Reseller News kicks off awards season in 2019 with Judges' Lunch

The 2019 Reseller News Innovation Awards has kicked off with the Judges Lunch in Auckland with 70 judges in the voting panel. The awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors. Photos by Christine Wong.

Reseller News kicks off awards season in 2019 with Judges' Lunch
Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomes industry figures for 2019 Hall of Fame lunch

Reseller News welcomed 2018 inductees - Chris Simpson, Kendra Ross and Phill Patton - to the third running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing landscape of the technology industry in New Zealand, while outlining ways to attract a new breed of players to the ecosystem. Photos by Gino Demeer.

Reseller News welcomes industry figures for 2019 Hall of Fame lunch
Show Comments