Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients (threatpost.com)

← Back to Stories (view on slashdot.org)

Google To Deprecate SSLv3, RC4 in Gmail IMAP/POP Clients (threatpost.com)

Posted by msmash on Wednesday June 8, 2016 @04:00AM from the good-riddance dept.

Michael Mimoso, reporting for Threatpost: Google said that it will initiate on June 16 a gradual deprecation of SSLv3 and RC4 for Gmail IMAP/POP mail clients. Both the crypto protocols cipher are notoriously unsafe and are being phased out in big chunks of the Internet. Google, for its part, had already announced in May that it would no longer support SSLv3 and RC4 connections for Gmail SMTP. Google does note that most mail clients already default to safer TLS connections, and most will not be affected by the impending changes."Unlike Gmail SMTP, this change will be rolled out as a gradual change, where it may take longer than 30 days for users to be fully restricted from connecting to Gmail from SSLv3 or RC4 connections; however, we recommend updating your clients soon in order to avoid any potential disruption," Google said in an announcement.

25 comments

Min score:

Reason:

Sort:

Google to slowly make GMail irrelevant by Anonymous Coward · 2016-06-08 04:02 · Score: 1

Can't tell you how many clients can't actually access Gmail IMAP without "downgrading its security settings" because of their insistence on OAuth.
1. Re:Google to slowly make GMail irrelevant by Anonymous Coward · 2016-06-08 09:52 · Score: 0
  
  Yeah, I had to go in and explicitly allow "Less Secure Programs" before I could connect through IMAP. Which is bullshit because my IMAP client is perfectly capable of speaking TLSv1.2, it isn't any "Less Secure" than logging in via the browser.
Is this going to affect... by Anonymous Coward · 2016-06-08 04:15 · Score: 0

my Linux conky script that fetches email?
1. Re: Is this going to affect... by Anonymous Coward · 2016-06-08 04:18 · Score: 0
  
  No. Linux is already incapable of connecting to modern email systems like Gmail. This will not change anything in anyway you will notice.
2. Re: Is this going to affect... by Anonymous Coward · 2016-06-08 04:22 · Score: 0
  
  An intelligent answer would be better.
3. Re: Is this going to affect... by Anonymous Coward · 2016-06-08 04:27 · Score: 0
  
  That is an intelligent and correct answer. Stop whining.
4. Re: Is this going to affect... by LichtSpektren · 2016-06-08 04:54 · Score: 1
  
  No. Linux is already incapable of connecting to modern email systems like Gmail. This will not change anything in anyway you will notice.
  Pray tell, what OS kernels have POP3/IMAP built in? Pretty sure it's not Windows, anything POSIX or iOS, because all of them rely on userspace tools for email.
5. Re: Is this going to affect... by wonkey_monkey · 2016-06-08 06:00 · Score: 1
  
  "Windows" is just as incapable of connecting to Gmail as "Linux" is.
  
  --
  systemd is Roko's Basilisk.
6. Re: Is this going to affect... by Anonymous Coward · 2016-06-08 07:59 · Score: 0
  
  No. Linux is already incapable of connecting to modern email systems like Gmail.
  I use Linux, and I can confirm that it has the TCP drivers needed to support a connection to GMail.
  Of course, I also use an e-mail client (Thunderbird in my case) to speak the POP3 protocol over that TCP connection to GMail.
  Linux by itself doesn't have a convenient way of speaking POP3 to GMail, but it's certainly easy to install an e-mail client on Linux that does.
PCI 3.1 compliance is also requiring tls v 1.2 by Anonymous Coward · 2016-06-08 04:16 · Score: 0

This should help put one more stake in the =IE8 vampire.
Actually, some IE10 configurations don't even support TLS v1.2 if they're unpatched!
Re: Why, moderators? by LichtSpektren · 2016-06-08 05:01 · Score: 2

I suppose one of the bigoted moderators really didn't like my question. No surprise here.
It might have something to do with the fact that your comment was 100% off-topic.
Old people are left behind by Anonymous Coward · 2016-06-08 05:20 · Score: 0

My parents are 60+ years old and used Outlook Express exclusively. To teach them to use another client will be almost impossible. I don't think they were ever in danger for only using SSL.
1. Re:Old people are left behind by LichtSpektren · 2016-06-08 05:26 · Score: 2
  
  My parents are 60+ years old and used Outlook Express exclusively. To teach them to use another client will be almost impossible. I don't think they were ever in danger for only using SSL.
  Please do your parents a favor and move them off of Windows XP. It will take work and lots of aggravation no doubt, but their safety is worth that.
2. Re:Old people are left behind by ModernGeek · 2016-06-08 07:00 · Score: 1
  
  Get them an iPad
  
  --
  Sig: I stole this sig.
3. Re:Old people are left behind by Anonymous Coward · 2016-06-08 07:25 · Score: 0
  
  Please do your parents a favor and move them off of Windows XP. It will take work and lots of aggravation no doubt, but their safety is worth that.
  Wow, some great FUD there. How is XP so horribly worse than all the other OSes, pray tell? And what is the balance between prefect security, the misery of the elderly who are "just trying to send an email", and the unbelievably minuscule chance they'll get hacked because of XP, not because of email phishing or web ads?
4. Re:Old people are left behind by Anonymous Coward · 2016-06-08 12:48 · Score: 0
  
  Ditto about that great FUD. FUD like that makes it sound like the latest and greatest is somehow perfect. Newsflash: the latest Windows 10 or whatever has security holes, and the black hats probably already know about them. You just won't know about them until next year or so.
  And besides, the real headache vulnerabilities are in the applications you use to bring data in to your system. Such as a web browser, PDF reader, Flash, etc. Even then a bit of common sense, proper configuration, and third party tools it can all be managed.
5. Re:Old people are left behind by eam3 · 2016-06-09 02:03 · Score: 1
  
  My father is 88 years old and my mom is 79, both are as computer illiterate as your average user. They both used Outlook Express for years. A few years ago I moved them to W7 (and now W10) and they both adapted to Outlook just fine.
6. Re:Old people are left behind by LichtSpektren · 2016-06-09 04:15 · Score: 1
  
  Please do your parents a favor and move them off of Windows XP. It will take work and lots of aggravation no doubt, but their safety is worth that.
  Wow, some great FUD there. How is XP so horribly worse than all the other OSes, pray tell? And what is the balance between prefect security, the misery of the elderly who are "just trying to send an email", and the unbelievably minuscule chance they'll get hacked because of XP, not because of email phishing or web ads?
  "Unbelievably minuscule chance they'll get hacked..." right. For all of us who have to suffer to botnet DDoS attacks because of people like you, please move your parents off of an OS that no longer receives security updates. They may be interested in Ubuntu or Linux Mint if you explain it to them well.
Windows Phone 7 might have a problem by Anonymous Coward · 2016-06-08 06:43 · Score: 0

I understand that the IMAP/POP client included with Windows Phone 7 does not support TLS. In fact, it was reported that the CPU goes to 100% usage and the phone locks up.
http://answers.microsoft.com/en-us/mobiledevices/forum/mdlumia-mdservices/windows-phone-7-doesnt-support-tls-on-imap-email/bf26471e-c330-4a04-b6bf-96e8ae2ea04e
Of course, Windows Phone 7 is fairly old but it does show the problem with mobile devices that are difficult to upgrade.
1. Re:Windows Phone 7 might have a problem by Anonymous Coward · 2016-06-08 12:23 · Score: 0
  
  Wow, this will be a problem for all three people that fell for the WP7 trap!
Meanwhile nobody is intercepting you except by Anonymous Coward · 2016-06-08 07:55 · Score: 0

Google/US Government.
Pretend you are secure.
1. Re: Meanwhile nobody is intercepting you except by Anonymous Coward · 2016-06-08 08:25 · Score: 0
  
  And the governments of the CA certs your client trusts, and various private security agencies root certs were given out to, plus any of their partners, plus any of the 300+ dupe erroneous certs issued in the last year for major domains.
  And their neighbours, and their neighbours tennis parners, and their pets.
  But other than that, perfectly safe.
2. Re: Meanwhile nobody is intercepting you except by Anonymous Coward · 2016-06-08 15:18 · Score: 0
  
  And the governments of the CA certs your client trusts, and various private security agencies root certs were given out to, plus any of their partners, plus any of the 300+ dupe erroneous certs issued in the last year for major domains.
  And their neighbours, and their neighbours tennis parners, and their pets.
  But other than that, perfectly safe.
  Here's the scoop. With open source like Linux there is never a registration between you and Linus Torvalds or anybody. Download it, install it, and enjoy. Nobody cares about your name, address, Facebook profile, Google "G" mail, or any other US Government data. You can install Linux, install a browser like Firefox,enter your bank website and go for it. Your CA certs are the same as anybody else. Only in dickhead Microsoft world and homo Apple land do you have to tell them your life story and give them access to your personal data for life. Chrome is Google and so is Android. It is literally all spyware by the US Government and it is shared internationally. Google captcha's and trackers are the predominant tracking on the interwebs. The US's other big companies profile you and share, and the US tax payers pay for it.