Mozilla And Google To Drop SSLv3 Support - No Longer Secure

[GoodBytes]

Major web browser Google and Mozilla, have annonced today that they will drop SSLv3 support in their future web browser releases.

The reason for this, is that SSLv3 has been discovered that it is no longer secure, and therefore useless. To discoveage the usage it by web sites, both web browsers partner up in agreement to drop support.

 

 

Discovered and publicised in a document released back in September by Googlers Bodo Möller, Thai Duong and Krzysztof Kotowicz, the Poodle attack - Padding Oracle On DOwngraded Legacy Encryption - allows attackers to obtain bearer tokens, including supposedly secure HTTP cookies that would allow a supposedly authenticated and encrypted SSL 3.0 session to be hijacked for nefarious means.

 

The flaw stems from backwards compatibility added to most browsers. While the majority of sites have long since abandoned Secure Sockets Layer (SSL) encryption in favour of its replacement Transport Layer Security (TLS), a few sites have not - and to support these, browsers include the outdated SSL standards and will negotiate downwards to the highest security standard supported by a given site. This downgrade process can also be exploited by an attacker, however, forcing a connection to use a known-weak encryption method despite supporting better standards.

Reports Bit-Tech.net

 

 

The better news, is that Mozilla estimates, at least with it's current users, that only 0.3% of web sites are affected, mostly web sites that provide IE6 supports, as IE6, due to it's age, doesn't support anything higher than SSLv3.

 

Barnes indicates that only 0.3 per cent of transactions carried out via the Firefox web browser require SSLv3, but admits that 'due to the size of the web, it still amounts to millions of transactions per day.' Particularly badly affected will be sites that support legacy users, with older browsers like Internet Explorer 6 unable to support anything higher than SSLv3 - thus disabling secure connectivity altogether if the server has SSLv3 disabled.

 

Full detail paper on the attack on SSLv3 can be found here: https://www.openssl.org/~bodo/ssl-poodle.pdf

 

Source: http://www.bit-tech.net/news/bits/2014/10/15/google-mozilla-sslv3/1

[LemonSpice]

well this is the generation of major security breaches my question is what encryption method is secure as the nsa has backdoors in almost all of them. Edward Snowden even says stay away from google

[qwertywarrior]

well this is the generation of major security breaches my question is what encryption method is secure as the nsa has backdoors in almost all of them.

no ....