Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Google to Soon Kill SSLv3, RC4 Support in Gmail

Starting on June 16, 2016, the old SSLv3 and RC4 security protocols will no longer be supported on Google’s SMTP servers and on Gmail’s web servers.

Starting on June 16, 2016, the old SSLv3 and RC4 security protocols will no longer be supported on Google’s SMTP servers and on Gmail’s web servers.

Given the insecure status of both SSLv3 and RC4, Google announced in September last year that it would kill both protocols in its products. On Monday, the company revealed that it is removing support for the two standards in Google SMTP servers and Gmail web servers in 30 days.

Defined in 1996, Secure Sockets Layer (SSL) 3.0 was deemed insecure in 2014, because of the POODLE attack that affects all block ciphers in SSL. Given that the protocol is considered obsolete, the industry is transitioning to the more secure Transport Layer Security (TLS) protocol, currently at version 1.3, which is still a working draft. TLS, however, is also vulnerable to POODLE, researchers believe.

RC4, on the other hand, has been around since 1987, but it is still very popular, being one of the most widely used stream ciphers. In mid-2015, RC4 was supposedly used in 30 percent of TLS connections, but experts demonstrated that attacks against this cryptographic algorithm are becoming more practical and feasible than ever.

“SSLv3 has been obsolete for over 16 years and is so full of known problems that the Internet Engineering Task Force (IETF) has decided that it must no longer be used. RC4 is a 28-year-old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used,” Adam Langley, Security Engineer, Google, said last year.

The newly announced change means that, starting on June 16, Google’s SMTP servers will no longer be exchanging emails with servers sending messages via SSLv3 and RC4. It also means that users who are still using older and insecure mail clients won’t be able to send mail starting on that date, Google explains.

While most organizations on Google Apps have already stopped using SSLv3 and RC4, there are some that are still on these older systems, and Google advises them to update to modern TLS configurations. In September last year, the Internet giant also announced a series of minimum standards for TLS clients and revealed that devices that don’t meet them would start working.

According to Google, some common systems that may still be using SSLv3 include: inbound/outbound gateways, third-party emailers, and systems using SMTP relay. With other Google products already having removed support for these old, deprecated security protocols, admins should consider fully transitioning to newer standards as soon as possible.

Other tech companies out there are also killing SSLv3 and RC4 in their products, with Microsoft and Mozilla revealing last year plans to deprecate RC4 in browsers and Firefox 44 moving away from the standard in January. As F5 Networks evangelist David Holmes noted in a SecurityWeek column in November, “the simplicity of RC4 was its greatest appeal.”

Earlier this year, DROWN, a high severity flaw affecting HTTPS and other services that rely on SSL and TLS, was patched by only 5% of affected cloud services within the first week. According to David Holmes, however, DROWN only achieved a Hello Kitty warning level because it “is only a single TLS session (Impact=3), and the exploitability is non-trivial or impossible on most counts (Exploitability = 2).”

Last year, researchers revealed FREAK, a vulnerability that allowed hackers to crack HTTPS-protected traffic by forcing vulnerable clients to downgrade to weaker crypto, while 2014 was the year of the ‘Heartbleed‘ vulnerability in OpenSSL. Heartbleed, however, was still unpatched by 74% of Global 2000 organizations one year after it was publicly disclosed.

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...