Mozilla to Disable SSL 3.0 in Firefox, Heralds "the End of SSL 3.0"
"Another day, another vulnerability found in a critical piece of Internet infrastructure," reported Jon Buys here on OStatic this week, as news arrived that Google has found that SSL 3.0 is vulnerable to a man-in-the-middle attack, which means someone could possibly snoop on secure communications between browsers and servers. The report detailing the POODLE vulnerability was published by Google last month, but is making headlines this week.
Now, Mozilla has said it will disable Secure Sockets Layer (SSL) encryption in the latest version of its Firefox web browser that will be released on Nov. 25, and POODLE is the reason.
According to a Mozilla post:
"SSL version 3.0 is no longer secure. Browsers and websites need to turn off SSLv3 and use more modern security protocols as soon as possible, in order to avoid compromising users’ private information."
"We have a plan to turn off SSLv3 in Firefox. This plan was developed with other browser vendors after a team at Google discovered a critical flaw in SSLv3, which can allow an attacker to extract secret information from inside of an encrypted transaction. SSLv3 is an old version of the security system that underlies secure Web transactions and is known as the “Secure Sockets Layer” (SSL) or “Transport Layer Security” (TLS)."
In late September, a team at Google discovered a serious vulnerability in SSL 3.0 and found that it can be exploited to steal certain confidential information, such as cookies.
Today, Mozilla reports that Firefox uses SSLv3 for only about 0.3% of HTTPS connections, but those connections are vulnerable. According to measurements conducted by Mozilla and the University of Michigan, approximately 0.42% of the Alexa top million domains have some reliance on SSLv3 (usually due to a subdomain requiring SSLv3), so we are likely going to see more announcements about ending reliance on SSL 3.0.
OStatic will stay tuned for more news.