14 DAY TRIAL // Google announced version 39 of its Chrome browser, which disables fallback to buggy SSL 3.0 from a more secure cryptographic protocol in case of client-server connection errors, thus eliminating the risk of a POODLE attack.
The new release of the browser has received a total of 42 security fixes and it is the first one to add 64-bit support for Mac.
After the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack was disclosed by security researchers at Google, the company announced its plans for fading out support for SSL completely, TLS 1.0 being the minimum version of the encryption protocol accepted in Chrome.
SSL 3.0 has been found insecure by the researchers because of a weakness in its encryption algorithm, particularly in the cipher-block chaining mode, which allowed decryption of sensitive information, like session cookies, using the man-in-the-middle (MitM) technique.
Drop of SSL 3.0 support scheduled for Chrome 40
The attack devised by the security experts at Google took advantage of the protocol negotiation mechanism in the protocol implementation, which allowed downgrading to a lower version if initial handshakes would fail.
These errors appear when the client and the server use different versions of the cryptographic protocol and are a way to find common ground for secure communication.
As such, a server using the weak SSL 3.0 would not accept traffic exchange from a client relying on TLS 1.2, this way forcing a downgrade, to TLS 1.1, and eventually, to SSL 3.0. The same behavior would be recorded in case of network glitches, which can be triggered by a malicious actor interposed between the two machines (MitM).
Important to note is that with Chrome 39, Google did not end support for SSL, only disabled the fallback mechanism, which can be enabled manually through policy or command line options.
This means that servers supporting only SSL 3.0 and lower will continue to function normally until support for the protocol is removed completely from Chrome, which is scheduled for the next version.
Thousands paid in bug bounties
Apart from disabling the protocol downgrade by default, Google also offered $41,500 / €33,000 to researchers pointing out vulnerabilities in Chrome and helping with the development cycle.
The largest bounties paid by the company amounted to $7,500 / €6,000 for a double-free glitch in Flash attributed to “biloulehibou,” and $5,000 / €4,000 for a use-after free vulnerability in Blink rendering engine, credit going to Chen Zhang of the NSFOCUS Security Team.
Google awarded an additional $16,000 / €12,760 to researchers who helped with preventing bugs from reaching the stable release of the web browser.
From the 42 vulnerabilities reported through the bug hunting program, only 12 have been highlighted in a blog post from Alex Mineer, Google technical program manager.
These included address bar spoofing, integer and buffer overflows in the PDF rendering engine Pdfium, and uninitialized memory read.
