ID: IRCNE2014112360
Date: 2014-11-02
According to “ComputerWorld”, Google plans to remove support for the aging Secure Sockets Layer (SSL) version 3.0 protocol in Google Chrome 40, which is expected to ship in about two months.
The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed "POODLE," the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.
Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol's only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.
HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years -- browsers to support secure connections with old servers and servers to support secure connections with old browsers.
This compatibility-driven situation is one that security experts have long wanted to see change and thanks to POODLE it will finally happen. The flaw's impact is significantly amplified by the fact that attackers who can intercept HTTPS connections can force a downgrade from TLS to SSL 3.0.
Based on an October survey by the SSL Pulse project, 98 percent of the world's most popular 150,000 HTTPS-enabled sites supported SSLv3 in addition to one or more TLS versions. It's therefore easier for browsers to remove their support for SSL 3.0 than to wait for hundred of thousands of web servers to be reconfigured.
According to Google security engineer Adam Langley, Chrome 39, which is currently in beta and will be released in a couple of weeks, will no longer support the SSL 3.0 fallback mechanism, preventing attackers from downgrading TLS connections.
"In Chrome 40, we plan on disabling SSLv3 completely.
- 2