Google heads out the back with rifle, puts down POODLE

Next Chrome includes death knell for SSL

Google will destroy vicious POODLE in a pending update to its flagship Chrome browser.

Update 40 will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack.

Mountain View followed Redmond in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer ahead of removal in a few months.

Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result.

"The update is that we're killing it," Langley said.

"SSLv3-fallback support allows a network attacker to force an HTTPS connection to a site to use SSLv3 [and] is only needed to support buggy HTTPS servers.

"Servers that correctly support only SSLv3 will continue to work for now but some buggy servers may stop working."

Chrome 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as Mozilla's Firefox 34.

Security experts were unanimous, when speaking to El Reg earlier this month, that sysadmins and programmers should drop support for the obsolete encryption tech from servers and applications, but were split on the seriousness of the bug.

The flag would warn users about the risk of SSLv3 and devs that their sites will be killed in the ensuing release unless updated to the 15 year-old TLS 1.0.

Web page sub resources can still be sent over SSL 3.0 without triggering the yellow flag, but devs could run Chrome with --ssl-version-min=tls1 to reveal the issue in their sites. ®

Sponsored: Becoming a Pragmatic Security Leader




Biting the hand that feeds IT © 1998–2019