Apple dumps SSL 3.0 for push notifications due to Poodle flaw

Apple said Wednesday it will stop supporting the encryption standard Secure Sockets Layer 3.0 for its push notifications service in response to a vulnerability identified earlier this month in the aging protocol.

Apple announced on its developer site that it will switch on October 29 from SSL 3.0 to Transport Layer Security (TLS), SSL’s more modern, less vulnerable younger sibling. Disclosed earlier this month, the vulnerability — called Poodle — allows encrypted information to be exposed by an attacker with network access.

“Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected,” Apple said in its bulletin. “Providers that support both TLS and SSL 3.0 will not be affected and require no changes.”

To help developers test compatibility, Apple said it has already disabled SSL 3.0 in the development environment on its Provider Communication interface.

Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it’s used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.

Once the most advanced form of Web encryption in use, the 15-year-old SSL 3.0 is used by few websites anymore, according to a study by the University of Michigan. However, Poodle still poses a threat because attackers can force browsers to downgrade to SSL 3.0.

Read the Full Article: Source – c|net
http://www.cnet.com/news/apple-dumps-ssl-3-0-for-push-notifications-due-to-poodle-flaw/

source not found

Related Article

Leave a Reply