Slashdot Mirror

← Back to Stories (view on slashdot.org)

Google To Disable Fallback To SSL 3.0 In Chrome 39 and Remove In Chrome 40

Posted by samzenpus on from the get-it-out dept.

An anonymous reader writes Google today announced plans to disable fallback to version 3 of the SSL protocol in Chrome 39, and remove SSL 3.0 completely in Chrome 40. The decision follows the company's disclosure of a serious security vulnerability in SSL 3.0 on October 14, the attack for which it dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE). Following Mozilla's decision on the same day to disable SSL 3.0 by default in Firefox 34, which will be released on November 25, Google has laid out its plans for Chrome. This was expected, given that Google Security Team's Bodo Möller stated at the time: "In the coming months, we hope to remove support for SSL 3.0 completely from our client products."

7 of 70 comments (clear)

  1. 2014 by pushing-robot · · Score: 4, Funny

    It may still not be the year of Linux on the desktop, but it is the year of silly names on serious exploits.

    --
    How can I believe you when you tell me what I don't want to hear?
    1. Re:2014 by NotInHere · · Score: 2

      Computer Security is boring to most people, and when you give them funny names, or funny logos, issues become more likely popular, and are easier memorized.

  2. Re:If lack of security updates didn't kill IE 6... by sexconker · · Score: 3, Informative

    Tools
    Internet Options
    Advanced
    Security
    Use TLS 1.0
    OK

  3. Pros and Cons by Anonymous Coward · · Score: 2, Interesting

    While I respect this decision, I can't help but think many end users will see it as a broken browser and will use IE or something else for sites which no longer work with Chrome.

    Chrome's market share will drop a bit unless/until all other browsers do this too.

    1. Re:Pros and Cons by NotInHere · · Score: 2

      "Today, Firefox uses SSLv3 for only about 0.3% of HTTPS connections." : https://blog.mozilla.org/secur...

      The browser vendors act this fast only because SSL 3.0 isn't used for almost all connections.

    2. Re:Pros and Cons by thegarbz · · Score: 2

      The state of SSL already behaves like a broken browser.

      Why do I get a serious warning that says my communications are not private when I visit a website with a self-signed SSL certificate, but we get a free pass sending unencrypted information around the internet?

      How is providing a base level of encryption less private or less secure then sending something in plaintext simply because the other end hasn't paid a fee to a third party?

  4. Re:If lack of security updates didn't kill IE 6... by pavon · · Score: 2

    It may also bring back the days of banks requiring the use of IE, as none of the citi group websites support any version of TLS. Of course, those in the know should cancel their citi accounts. Even if you don't use their website, if their security is this lax in one area, it probably isn't great in others as well. Sucks for people with mortgages and such that are very expensive to move to another company, though.