Enterprises that are still using Web servers or email servers running the long obsolete SSLv3 or RC4 cryptographic protocols have one month to update to more recent versions if they want to continue to exchange mail with Google’s mail servers.
After June 16, 2016, Google will formally disable support for both SSLv3 and RC4 on its Secure Mail Transfer Protocol (SMTP) servers as well as on Gmail Web servers.
As a result, “servers sending messages via SSLv3 and RC4 will no longer be able to exchange mail with Google’s SMTP servers,” the company announced this week. “Some users using older and insecure mail clients won’t be able to send mail.”
Google first announced its plans to drop support for the two protocols last September over concerns about the many security vulnerabilities in the technologies. At the time, the company had noted that it would disable support for SSLv3 and RC4 on its front-end servers as well as on Chrome, Android, SMTP systems and all other systems.
In announcing its decision last year to phase out support for the two protocols, Google had pointed to how SSLv3, though still relatively widely implemented in systems, had become obsolete some 16 years ago. The protocol has so many problems that even the Internet Engineering Task Force (IETF) had declared it unsafe for use, Google said at the time. Though the protocol is rarely used these days, many Websites still implement it for backward-compatibility reasons. The same problems were also true of RC4, which has increasingly become the target of malicious attacks, the company had noted.
Google recommended a set of actions that Website owners can take to disable SSLv3 and RC4 and update to more modern Transport Layer Security (TLS) configurations. As part of its recommendations Google has also specified new minimum standards for the Transport Layer Security (TLS) protocol used by browser clients to ensure they work without problems through 2020 at least.
Concerns over the security of the older cipher protocols have lingered for years, but bubbled to the surface in late 2014 when security researchers at Google discovered a critical vulnerability in SSLv3, which basically gave attackers a way to break the security of encrypted communications between browser clients and Web servers.
The bug and an associated exploit, dubbed ‘POODLE‘ (Padding Oracle On Downgraded Legacy Encryption), raised widespread concerns about attackers being able to steal cookies, passwords and credentials to online accounts such as those controlling access to online bank accounts of Internet users.
POODLE prompted the Mozilla Foundation to announce it would disable support for SSLv3 in its Firefox browser almost immediately. Even though Firefox at the time used SSLV3 for barely 3 percent of secure connections, it still amounted to millions of transactions per day, Mozilla said. Mozilla ended support for the protocol with the release of Firefox 34 in November 2015.
Microsoft followed suit by announcing plans to disable SSLv3 by default in Internet Explorer, Azure, Office 365 and across all Microsoft online services using the protocol starting Dec. 2014.