IE6 holdouts beware: Twitter and others kill SSL 3.0 support after “Poodle” bug discovery


Credit: Javier Aroche / Flickr

Support for the 15-year-old SSL 3.0 – an industry-standard web encryption protocol that has long been supplanted by TLS – is set to plummet in the wake of the discovery of the so-called Poodle bug. This means that users of old browsers, notably Internet Explorer 6 (yes, they still exist) have yet another reason to upgrade.

As my colleague Jonathan Vanian reported on Tuesday, the bug was named and detailed by [company]Google[/company] researchers. It lets attackers figure out what’s being sent over encrypted connections, in plaintext, under certain conditions.

As Robert Graham at Errata Security pointed out, this would need to be a man-in-the-middle attack, so those using public Wi-Fi hotspots are in particular danger — as for those surfing at home, the attackers would need to be able to tap the internet’s backbone, NSA-style – and there are various other requirements.

The short story, though, is that web services now have to stop falling back to SSL 3.0 when the superior TLS isn’t playing nice.

According to Microsoft’s own “Counting down to the end of Internet Explorer 6” page, the venerable browser is used by less than one percent of internet users in most countries, with one glaring exception: China, where 11 percent of internet users are still on it. Not coincidentally, an estimated 200 million Chinese PCs are still on XP.

Here’s the run-down on the Poodle reaction so far from web services:

  • Google intends to remove SSL 3.0 fallback support from its clients, such as Chrome.
  • Slack and Twitter no longer support SSL 3.0.
  • Mozilla will kill Firefox’s support for SSL 3.0 in version 34, due November 25.
  • Tor, designed to aid online anonymity, does not in itself support SSL 3.0, but its Firefox-based browser does and will also need updating. The post I linked to there gives instructions on disabling SSL 3.0 manually.

This article was corrected at 4.15am PT to note — it previously said IE6 did not support TLS at all, whereas it only has support turned off by default.

Comments are closed.