Sign up for our newsletter
Technology / Cybersecurity

Google and Mozilla to disable SSLv3 encryption

Google and Mozilla have confirmed plans to disable the SSL version 3.0 encryption standard from their browsers in the wake of reports of a vulnerability.

Dubbed POODLE, the bug in the widely used web encryption technology could allow hackers to compromise private information including cookies and passwords, and use them to access user accounts on vulnerable websites.

Mozilla said in a statement: "The POODLE attack can be used against any browser or website that supports SSLv3.

"This affects all current browsers and most websites. As noted above, only 0.3% of transactions actually use SSLv3.

White papers from our partners

"Though almost all websites allow connections with SSLv3 to support old browsers, it is rarely used, since there are very few browsers that don’t support newer versions of TLS."

As part of efforts to fix the issue, Mozilla will deactivate SSL 3.0 by default in its upcoming version ‘Firefox 34’, while the code to turn off the security protocol will be accessible via Mozilla Nightly.

The company added: "As an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism known as SCSV.

"If this is supported by the server, it prevents attacks that rely on insecure fallback."

However, Google noted that its Chrome browser and servers have been supporting TLS_FALLBACK_SCSV since February and Chrome has already commenced trialling modifications that disable the substitute to SSL 3.0.

Google said in a statement: "This change will break some sites and those sites will need to be updated quickly.

"In the coming months, we hope to remove support for SSL 3.0 completely from our client products."
This article is from the CBROnline archive: some formatting and images may not be present.

CBR Staff Writer

CBR Online legacy content.