Connect with us

Hi, what are you looking for?


Network Security

Google to Disable SSL 3.0 in Chrome 40 to Prevent POODLE Attacks

Google has decided to make some changes in its Chrome Web browser in order to ensure that users are protected against POODLE attacks.

Google has decided to make some changes in its Chrome Web browser in order to ensure that users are protected against POODLE attacks.

According to Google Security Engineer Adam Langley, the company will kill SSL 3.0, the flawed protocol (CVE-2014-3566) that exposes encrypted communications to so-called Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

The first step is to disable fallback to SSL 3.0 in Chrome 39, the next version of the Web browser, since fallback support can be exploited by a malicious actors to force HTTPS connections to use SSL 3.0, Langley said.

“SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working. The answer in these cases is to fix the server — TLS 1.0 is nearly 15 years old at this point,” the engineer explained in a post on Thursday.

SSL 3.0 fallback support has already been disabled in the beta, dev and canary versions of Chrome. With the release of Chrome 40, Google plans on disabling SSL 3.0 completely, but the company says it’s on the lookout for compatibility issues.

In Chrome 39, users will be presented with a yellow badge over the lock icon when they visit websites that use SSL 3.0. Langley says these sites will have to update to at least TLS 1.0 before Chrome 40 becomes available. Developers are advised to properly test their websites since there could be scenarios where the yellow badge doesn’t appear even though the site is using SSL 3.0.

“The enterprise-policy options SSLVersionMin and SSLVersionFallbackMin can be used to control the minimum SSL/TLS version and minimum fallback version in Chrome 39. In Chrome 40, the minimum SSL/TLS version will also be controllable via about:flags,” Langley said.

Advertisement. Scroll to continue reading.

However, he has pointed out that this should not be regarded as a long-term solution since SSL 3.0 client support will be removed from the code at one point.

In mid-October, shortly after the world learned of POODLE, Mozilla announced its intention to disable SSL 3.0 by default with the launch of Firefox 34, scheduled for release on November 25.

Apple and Microsoft have also taken steps to protect their customers against attacks leveraging this vulnerability.

On Wednesday, Microsoft released a FixIt tool that allows users to disable SSL 3.0 in all supported versions of Internet Explorer. In the upcoming period, the company will work on disabling fallback to SSL 3.0 in Internet Explorer. It will also disable the protocol by default in the Web browser and other Microsoft online services.


Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...