Google on Tuesday announced that it has discovered a "vulnerability in the design of SSL version 3.0"
The vulnerability, which Google announced on its security blog and detailed in a security advisory [PDF link], "allows the plaintext of secure connections to be calculated by a network attacker."
Google's Bodo Möller discovered the issue, along with Googlers Thai Duong and Krzysztof Kotowicz.
This isn't the first time SSL — the security protocol that the Internet uses for encryption and security — has had issues. Earlier this year, a years-old bug in OpenSSL known as Heartbleed was publicly revealed.
This particular bug effects SSL version 3.0, which Google notes is nearly 15 years old. It has been replaced by TLS 1.0 and TLS 1.1 and TLS 1.2, but the discovery is still a concern because most modern TLS implementations are still backward compatible with Open SSL 3.0
Most web browsers still support SSL 3.0 and can even drop-down to support the old protocol if something else isn't working or if use of the protocol is triggered by a network attacker.
Google says that disabling SSL 3.0 support is enough to mitigate the issue, but that could cause compatibility issues. Therefore, the company has announced support for TLS_FALLBACK_SCSV, which will prevent SSL 3.0 from being used when a client attempts to retry a failed connection.
Google says that Chrome has supported TLS_FALLBACK_SCSV since February and that it is testing changes Tuesday that will disable fallback to SSL 3.0. In the coming months, Google hopes to remove support for SSL 3.0 from all of its products.
Silver lining
Silver lining
Although the problem Google has discovered looks severe, the good news is that it can be mitigated by upgrading to a newer version of a web browser. In the case of Google Chrome, Mozilla Firefox and Opera, the rolling, automatic-updating nature of the browser means that users can get fixes quickly.
We expect Mozilla (Firefox), Microsoft (Internet Explorer) and Apple (Safari) to issue updates to its browsers to support the TLS_FALLBACK_SCSV and to follow Google's lead in dropping support for SSL 3.0.
For websites that may break if SSL 3.0 support is dropped, the onus will be on those site maintainers to update their code to modern standards immediately.
This story is still developing
Have something to add to this story? Share it in the comments.
Posted by : Gizmeon
No comments:
Post a Comment