Apple said Wednesday it will stop supporting the encryption standard Secure Sockets Layer 3.0 for its push notifications service in response to a vulnerability identified earlier this month in the aging protocol. Apple announced on its developer site that it will switch on October 29 from SSL 3.0 to Transport Layer Security (TLS), SSL’s more modern, less vulnerable younger sibling. Disclosed earlier this month, the vulnerability, called Poodle, allows encrypted information to be exposed by an attacker with network access.
Apple will stop support next week for an encryption protocol found to contain a severe vulnerability, the company said on Wednesday. Support for SSL 3.0 will cease as of Oct. 29, it said. “Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected,” according to a note to developers. “Providers that support both TLS and SSL 3.0 will not be affected and require no changes.” Google researchers revealed last week they found a flaw in SSL (Secure Sockets Layer) version 3.0, which was released more than 15 years ago. SSL has been replaced by TLS (Transport Layer Security), but the old versions are still used by some servers across the Internet and are supported by web browsers. The researchers found it was possible using a man-in-the-middle attack—nicknamed “POODLE”—to downgrade the SSL/TLS connection to the less-secure 3.0 version, where the flaw could allow an attacker to steal a person’s authentication cookies. The attacker and victim must be on the same network, posing a risk to people using public Wi-Fi.
Leave a Reply