Microsoft today announced it will disable IE11’s fallback to version 3 of the SSL protocol two months from now: on February 10, 2015. Yet the company still has no date for removing SSL 3.0 completely from IE.
The race to kill off support for this version of the protocol comes after Google disclosed a serious security vulnerability in SSL 3.0 on October 14, the attack it dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE). Fallback back to SSL 3.0 is used to support buggy HTTPS servers.
[aditude-amp id="flyingcarpet" targeting='{"env":"staging","page_type":"article","post_id":1621807,"post_type":"story","post_chan":"none","tags":null,"ai":false,"category":"none","all_categories":"business,security,","session":"A"}']When a browser connects to an HTTPS website, it will first try to do so by using the highest available encryption protocol; if that fails during the handshake, it will fall back and retry the connection with a lower encryption protocol. That will eventually be SSL 3.0, which, as already mentioned, is vulnerable to exploit.
Microsoft’s initial reaction was to declare it was “working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.” That was on October 29, and the message is largely the same today, on December 9. Today’s announcement underlines how slow Microsoft’s reaction is compared to competitors.
AI Weekly
The must-read newsletter for AI and Big Data industry written by Khari Johnson, Kyle Wiggers, and Seth Colaner.
Included with VentureBeat Insider and VentureBeat VIP memberships.
As promised, Google removed fallback to SSL 3.0 already with the release of Chrome 39 on November 18 and is on track to remove SSL 3.0 support completely with the release of Chrome 40 next month.
Mozilla has been even faster. The organization decided, on the same day as the flaw was announced, to disable SSL 3.0 by default; the company didn’t even mess around with fallback to SSL 3.0. It then delivered on its plan with the release of Firefox 34 on December 1.
Thanks to an update released today, IE users have the option block SSL 3.0 fallback in IE11 and enterprise customers can configure this behavior via Group Policy. Yet most users won’t do this, and so the wait continues for default changes.
We understand Microsoft has enterprise customers it needs to support. But when it comes to security, the company needs to move faster: SSL 3.0 should be scrapped completely, and long before February 10.
VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn More