Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Google to Soon Kill SSLv3, RC4 Support in Gmail

Starting on June 16, 2016, the old SSLv3 and RC4 security protocols will no longer be supported on Google’s SMTP servers and on Gmail’s web servers.

Starting on June 16, 2016, the old SSLv3 and RC4 security protocols will no longer be supported on Google’s SMTP servers and on Gmail’s web servers.

Given the insecure status of both SSLv3 and RC4, Google announced in September last year that it would kill both protocols in its products. On Monday, the company revealed that it is removing support for the two standards in Google SMTP servers and Gmail web servers in 30 days.

Defined in 1996, Secure Sockets Layer (SSL) 3.0 was deemed insecure in 2014, because of the POODLE attack that affects all block ciphers in SSL. Given that the protocol is considered obsolete, the industry is transitioning to the more secure Transport Layer Security (TLS) protocol, currently at version 1.3, which is still a working draft. TLS, however, is also vulnerable to POODLE, researchers believe.

RC4, on the other hand, has been around since 1987, but it is still very popular, being one of the most widely used stream ciphers. In mid-2015, RC4 was supposedly used in 30 percent of TLS connections, but experts demonstrated that attacks against this cryptographic algorithm are becoming more practical and feasible than ever.

“SSLv3 has been obsolete for over 16 years and is so full of known problems that the Internet Engineering Task Force (IETF) has decided that it must no longer be used. RC4 is a 28-year-old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used,” Adam Langley, Security Engineer, Google, said last year.

The newly announced change means that, starting on June 16, Google’s SMTP servers will no longer be exchanging emails with servers sending messages via SSLv3 and RC4. It also means that users who are still using older and insecure mail clients won’t be able to send mail starting on that date, Google explains.

While most organizations on Google Apps have already stopped using SSLv3 and RC4, there are some that are still on these older systems, and Google advises them to update to modern TLS configurations. In September last year, the Internet giant also announced a series of minimum standards for TLS clients and revealed that devices that don’t meet them would start working.

According to Google, some common systems that may still be using SSLv3 include: inbound/outbound gateways, third-party emailers, and systems using SMTP relay. With other Google products already having removed support for these old, deprecated security protocols, admins should consider fully transitioning to newer standards as soon as possible.

Advertisement. Scroll to continue reading.

Other tech companies out there are also killing SSLv3 and RC4 in their products, with Microsoft and Mozilla revealing last year plans to deprecate RC4 in browsers and Firefox 44 moving away from the standard in January. As F5 Networks evangelist David Holmes noted in a SecurityWeek column in November, “the simplicity of RC4 was its greatest appeal.”

Earlier this year, DROWN, a high severity flaw affecting HTTPS and other services that rely on SSL and TLS, was patched by only 5% of affected cloud services within the first week. According to David Holmes, however, DROWN only achieved a Hello Kitty warning level because it “is only a single TLS session (Impact=3), and the exploitability is non-trivial or impossible on most counts (Exploitability = 2).”

Last year, researchers revealed FREAK, a vulnerability that allowed hackers to crack HTTPS-protected traffic by forcing vulnerable clients to downgrade to weaker crypto, while 2014 was the year of the ‘Heartbleed‘ vulnerability in OpenSSL. Heartbleed, however, was still unpatched by 74% of Global 2000 organizations one year after it was publicly disclosed.

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Artificial Intelligence

ChatGPT is increasingly integrated into cybersecurity products and services as the industry is testing its capabilities and limitations.

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...