Security Experts:

Google to Disable SSL 3.0 in Chrome 40 to Prevent POODLE Attacks

Google has decided to make some changes in its Chrome Web browser in order to ensure that users are protected against POODLE attacks.

According to Google Security Engineer Adam Langley, the company will kill SSL 3.0, the flawed protocol (CVE-2014-3566) that exposes encrypted communications to so-called Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

The first step is to disable fallback to SSL 3.0 in Chrome 39, the next version of the Web browser, since fallback support can be exploited by a malicious actors to force HTTPS connections to use SSL 3.0, Langley said.

"SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working. The answer in these cases is to fix the server -- TLS 1.0 is nearly 15 years old at this point," the engineer explained in a post on Thursday.

SSL 3.0 fallback support has already been disabled in the beta, dev and canary versions of Chrome. With the release of Chrome 40, Google plans on disabling SSL 3.0 completely, but the company says it's on the lookout for compatibility issues.

In Chrome 39, users will be presented with a yellow badge over the lock icon when they visit websites that use SSL 3.0. Langley says these sites will have to update to at least TLS 1.0 before Chrome 40 becomes available. Developers are advised to properly test their websites since there could be scenarios where the yellow badge doesn't appear even though the site is using SSL 3.0.

"The enterprise-policy options SSLVersionMin and SSLVersionFallbackMin can be used to control the minimum SSL/TLS version and minimum fallback version in Chrome 39. In Chrome 40, the minimum SSL/TLS version will also be controllable via about:flags," Langley said.

However, he has pointed out that this should not be regarded as a long-term solution since SSL 3.0 client support will be removed from the code at one point.

In mid-October, shortly after the world learned of POODLE, Mozilla announced its intention to disable SSL 3.0 by default with the launch of Firefox 34, scheduled for release on November 25.

Apple and Microsoft have also taken steps to protect their customers against attacks leveraging this vulnerability.

On Wednesday, Microsoft released a FixIt tool that allows users to disable SSL 3.0 in all supported versions of Internet Explorer. In the upcoming period, the company will work on disabling fallback to SSL 3.0 in Internet Explorer. It will also disable the protocol by default in the Web browser and other Microsoft online services.


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.