14 DAY TRIAL // Client-server connections using the SSL 3.0 protocol will no longer be possible through Google Chrome starting version 40 of the product.
The measure comes on the heels of the recently disclosed POODLE (Padding Oracle on Downgraded Legacy Encryption) attack that downgrades a superior HTTPS connection such as TLS 1.2 to the buggy SSL 3.0, which allows extraction of sensitive information.
Falling back to SSL 3.0 can be achieved by forcing network communication errors, which would make the server assume that a higher version of the cryptographic protocol is not supported by the client, leading to trying lower, less secure versions of the protocol.
Slowly, SSL 3.0 fades out of Google Chrome
Adam Langley, security engineer at Google, published an update on Thursday, saying that the next version of Google Chrome will have the fallback to SSL 3.0 protocol disabled by default. As a result of this, some buggy servers may stop working, but websites supporting only SSL 3.0 will continue to function, until the next Chrome stable release emerges.
“Fallback to SSLv3 is disabled on canary, dev and beta channels at the moment,” Langley said, a measure that will become permanent with the release of Chrome 40. Compatibility issues are likely to arise, said the engineer.
In Chrome 39, whenever a HTTPS connection using SSL 3.0 occurs, an alert under the form of a yellow badge will be presented on the lock icon in the address bar, signaling a potential risk of confidential data leak. All websites should be updated to accept TLS 1.0 as the minimum protocol for encrypted connections.
Langley warns that even if the alert does not occur, pages could have sub-resources that are delivered through the vulnerable SSL 3.0.
POODLE attack mitigation provided in other browsers, too
Other browser developers have taken the same stance against the POODLE attack, Mozilla promising to disable the protocol by default in Firefox 34, which is scheduled for launch in late November.
In the meantime, the company released a SSL Version Control extension that mitigates the risk by setting TLS 1.0 as the minimum cryptographic protocol version.
Microsoft has also provided a tool that automatically turns SSL 3.0 use off in Internet Explorer, for those who do not want to dabble into the settings of the browser and make the change manually.
Apple already dropped support for SSL 3.0 in the Push Notification service on Wednesday, after it informed the developers last week of the change, offering the possibility to ready servers for sending encrypted data using TLS 1.0 and above.