Google Chrome 40 is expected in ship in around two months, and Google are planning to stop supporting the aging SSL (Secure Sockets Layer) in version 3.0.
A flaw in the design of SSL 3.0 was discovered by Googles team of security researchers. Dubbed “POODLE”, this flaw enables someone to retrieve sensitive information such as authentication cookies taken from HTTPS connections using SSLv3 encryption.
POODLE is by far the largest security breach found with SSL 3.0, although it’s not the protocol’s lone weakness. Designed around the middle of the 1990’s, SSL version 3 supports outdated cipher suites now considered insecure when looked at via a cryptographic stance.
Today HTTPS connections usually use TLS (Transport Layer Security) across versions 1.0-1.2. Many servers and browsers however have continued supporting SSL 3.0 – browsers needing to securely support connections with older servers. Also, servers needing to support connections securely with older browsers.
The impact of POODLE is multiplied because anyone attacking the HTTPS connections can force TLS to downgrade to SSL 3.0. Security experts have waited a long time to see a change, and for these reasons it looks like it will happen.
SSL Pulse project posted a survey in October showing 98% of 150,000 most popular HTTPS enabled websites worldwide supported SSLv3, as well as any number of TLS versions. Therefore instead of waiting for hundreds of thousands of servers to be configured, browsers can just remove their support for SSL 3.0.
The POODLE flaw was revealed publicly on October 14th, Google released a statement that they hope to remove all support for SSL 3.0 entirely from their clients products over the next few months. More details can be found in a post on the Chromium security mailing list by Adam Langley, a Google security engineer.
Langley stated “In Chrome 40, we plan on disabling SSLv3 completely, although we are keeping an eye on compatibility issues that may arise. In preparation for this, Chrome 39 will show a yellow badge over the lock icon for SSLv3 sites. These sites need to be updated to at least TLS 1.0 before Chrome 40 is released.”
According to Adam Langley, in a couple of weeks Chrome 39 will be released. It will not support SSL 3.0, in turn preventing attacks from downgrading the TLS connections.
With Chrome 38 being released on October 7th, Chrome 40 is expected to be released around the latter part of December. This is based on the previous history of Google Chrome releases following a six-week cycle for major versions.
Some similar actions will need to be followed by other browser vendors. Microsoft have already released a tool called FixIt, users can disable SSL 3.0 in Internet Explorer with the tool. According to Mozilla, they are releasing Firefox 34 on November 25th, and SSL 3.0 will be disabled by default.