Google Takes New Steps to Block POODLE Flaw
Google plans to disable support for SSL 3.0 in an upcoming Chrome release. Mozilla has similar intentions.Google researchers first publicly disclosed a flaw dubbed "POODLE" in the SSL 3.0 protocol on Oct. 14. Though Google made a patch available for servers to help mitigate the risk, one of the best long-term solutions to the flaw is for browser vendors to drop support for SSL 3.0, which is now what Google is pledging to do for its Chrome browser. The POODLE, or Padding Oracle On Downgraded Legacy Encryption, vulnerability could potentially enable an attacker to access and read encrypted communications. SSL 3.0 is a legacy protocol that has been replaced by the newer TLS 1.2 although many browser and server vendors have still supported SSL 3.0 as a fallback mechanism. In a mailing list posting, Google developer Adam Langley wrote that for the upcoming Chrome 39 stable release, SSL 3.0 fallback will be disabled. "SSLv3 fallback is only needed to support buggy HTTPS servers," Langley wrote. "Servers that correctly support only SSLv3 will continue to work (for now), but some buggy servers may stop working."
If a user hits a server or online application that doesn't work, due to the SSL 3.0 fallback removal, Chrome will show a yellow badge over the lock icon in the browser. By disabling the fallback and showing the yellow warning badge, Google is giving site owners a chance to update their sites before dropping SSL 3.0 entirely. The current plan is for Chrome 40 to completely disable SSL 3.0 support.