Friday, October 24, 2014

Apple to Drop SSL 3.0 Support

Apple to Drop SSL 3.0 Support
Apple has recently announced its developers that it will be dropping support for SSL 3.0 on October 29th on its push notification service to mitigate a discovered vulnerability in the software.

 The company will be switching off this support in favour of the more secured transport layer security –TSL protocol considering that the developers will have to build in support to ensurethat uninterrupted push notification service continues. Developers presently supporting both SSL 3.0 and TSL on their push servers will not get affected with this change though those using only SSL 3.0 would need to change to TLS soon to ensure that there is no interruption in the services.

Apple has also provided an option for developers to test compatibility with the updated system and the Apple Push Notification service will soon be updated and changes to the servers may be needed to be compatible. Additional information with regards to this is also available through Apple’s Developer Portal.

Paddle Oracle On Downgraded Legacy Encryption

Earlier this month vulnerability discovered in the SSL secure socket layer 3.0 version by Google researchers was reported by Computerworld. The researchers found it possible using a man-in the-middle attacked known as Paddle Oracle On Downgraded Legacy Encryption – POODLE, the discovery introduces false errors on using TSL, urging secure connections to downgrade back to the SSL 3.0 version where nefarious users could take advantage of a design flaw in SSL 3.0 in order to skim sensitive data from the user’s computers.

In other words the flaw would enable an attacker to steal a person’s authentication cookies where the attacker and the victim are on the same network, thereby posing a risk to people who could be using public Wi-Fi.It was also disclosed earlier that the POODLE vulnerability would allow encrypted information to be stolen by an attacker with network access.

To protect users against security issues with SSL version 3.0, the Apple Push Notification server will withdraw support for SSL 3.0 and providers with SSL would need to support TSL at the earliest for continuous services.

OS X Yosemite & iOS Protection Against the Flaw

Both OS X Yosemite and iOS have protection already in place against the flaw as OS X Mavericks 10.9 and Mountain Lion – 10.8 since Apple has now patched the Poodle SSL vulnerability with its latest release.

Apple and Google have both disabled SSL 3.0 in their browsers and developer environments, while other tech giants are also doing likewise. The vulnerability is considered to be less urgent than the Heartbleed vulnerability which also tends to affect SSL 3.0 though it still affects all browsers and several web servers.

Mozilla is said to disable SSL 3.0 in Firefox version 34 which is scheduled for 25th November. Besides many other companies have also moved to stop supporting SSL 3.0 due to the flaw where one of three have found to affect a variety of products across the internet world including the Shellshock Bash vulnerability besides the Heartbleed in Open SSL. Push servers which are not upgraded to use TLS by the coming week, will no longer be capable to send push notifications.

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.