Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Google to Disable SSL 3.0 in Chrome 40 to Prevent POODLE Attacks

Google has decided to make some changes in its Chrome Web browser in order to ensure that users are protected against POODLE attacks.

Google has decided to make some changes in its Chrome Web browser in order to ensure that users are protected against POODLE attacks.

According to Google Security Engineer Adam Langley, the company will kill SSL 3.0, the flawed protocol (CVE-2014-3566) that exposes encrypted communications to so-called Padding Oracle On Downgraded Legacy Encryption (POODLE) attacks.

The first step is to disable fallback to SSL 3.0 in Chrome 39, the next version of the Web browser, since fallback support can be exploited by a malicious actors to force HTTPS connections to use SSL 3.0, Langley said.

“SSLv3-fallback is only needed to support buggy HTTPS servers. Servers that correctly support only SSLv3 will continue to work (for now) but some buggy servers may stop working. The answer in these cases is to fix the server — TLS 1.0 is nearly 15 years old at this point,” the engineer explained in a post on Thursday.

SSL 3.0 fallback support has already been disabled in the beta, dev and canary versions of Chrome. With the release of Chrome 40, Google plans on disabling SSL 3.0 completely, but the company says it’s on the lookout for compatibility issues.

In Chrome 39, users will be presented with a yellow badge over the lock icon when they visit websites that use SSL 3.0. Langley says these sites will have to update to at least TLS 1.0 before Chrome 40 becomes available. Developers are advised to properly test their websites since there could be scenarios where the yellow badge doesn’t appear even though the site is using SSL 3.0.

“The enterprise-policy options SSLVersionMin and SSLVersionFallbackMin can be used to control the minimum SSL/TLS version and minimum fallback version in Chrome 39. In Chrome 40, the minimum SSL/TLS version will also be controllable via about:flags,” Langley said.

However, he has pointed out that this should not be regarded as a long-term solution since SSL 3.0 client support will be removed from the code at one point.

Advertisement. Scroll to continue reading.

In mid-October, shortly after the world learned of POODLE, Mozilla announced its intention to disable SSL 3.0 by default with the launch of Firefox 34, scheduled for release on November 25.

Apple and Microsoft have also taken steps to protect their customers against attacks leveraging this vulnerability.

On Wednesday, Microsoft released a FixIt tool that allows users to disable SSL 3.0 in all supported versions of Internet Explorer. In the upcoming period, the company will work on disabling fallback to SSL 3.0 in Internet Explorer. It will also disable the protocol by default in the Web browser and other Microsoft online services.

 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

Gigamon has promoted Tony Jarjoura to CFO and Ram Bhide has been hired as Senior VP of engineering.

Cloud security firm Mitiga has appointed Charlie Thomas as Chief Executive Officer.

Cynet announced the appointment of Jason Magee as Chief Executive Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.