The top three browser makers announced yesterday how they will deal with the design flaw in SSL 3.0 after researchers revealed that their "POODLE" attack method can steal encrypted information and pilfer browser session cookies.
Microsoft, Google and Mozilla all told users of their browsers -- Internet Explorer, Chrome and Firefox, respectively -- how they will handle the SSL 3.0 flaw, which cyber criminals could exploit using "man-in-the-middle" attacks to make off with session cookies. Those stolen cookies would let the hackers impersonate their victims, automatically logging into sites to, for example, make online purchases, read email or lift files from cloud storage services.
Mozilla was the most definite in its plans.
"SSLv3 will be disabled by default in Firefox 34, which will be released on Nov. 25," said Richard Barnes, a Mozilla security engineer, on a company blog Tuesday. "The code to disable it is landing today in Nightly, and will be promoted to Aurora and Beta in the next few weeks. This timing is intended to allow website operators some time to upgrade any servers that still rely on SSLv3."
Nightly, Aurora and Beta are, in ascending order, the roughest to most-polished builds that Mozilla generates prior to shipping the final Firefox code for a specific version.
Client-side browsers must be updated to disable SSL 3.0, but as Barnes noted, site servers must be modified as well.
Google, whose engineers published details of the POODLE attack, would not commit to a timeline for disabling SSL 3.0 in Chrome, saying only, "In the coming months, we hope to remove support for SSL 3.0 completely from our client products."
Chrome -- and Google's servers -- have supported a mechanism called SCSV, for TLS Fallback Signaling Cipher Suite Value, since February, said Bodo Möller, one of the three Google security engineers who revealed POODLE, in a blog post. SCSV, which Mozilla will also support in Firefox 34, prevents attackers from inducing browsers to use SSL 3.0 as a fallback protocol.
Chrome was updated to version 38 last week, so the next opportunity for turning off SSL 3.0 will be Chrome 39, which could appear as soon as the second half of November, or around the time Firefox 34 ships.
Like Google, Microsoft declined to set a timetable for modifying Windows to back out of SSL 3.0 support. (Internet Explorer relies on the cryptographic code in Windows rather than embedding the functionality in the browser.)
In a security advisory issued Tuesday, Microsoft acknowledged that "all supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability," but used boilerplate language to describe how it would handle POODLE.
"Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs," the advisory stated.
The next regularly-scheduled Patch Tuesday is Nov. 11.
Apple has, not surprisingly, said nothing about modifying Safari, since its policy is to not comment on ongoing security issues. But one should assume that it would drop support for SSL 3.0 with a future update as well.
This story, "Browser makers spell out anti-POODLE plans" was originally published by Computerworld.