Apple dumps SSL 3.0 for push notifications due to Poodle flaw
Apple will switch to the TLS encryption standard after disclosure of vulnerability that could expose encrypted data.
Steven MusilNight Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
ExpertiseI have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Apple said Wednesday it will stop supporting the encryption standard Secure Sockets Layer 3.0 for its push notifications service in response to a vulnerability identified earlier this month in the aging protocol.
"Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected," Apple said in its bulletin. "Providers that support both TLS and SSL 3.0 will not be affected and require no changes."
To help developers test compatibility, Apple said it has already disabled SSL 3.0 in the development environment on its Provider Communication interface.
Poodle, which stands for Padding Oracle On Downgraded Legacy Encryption (PDF), is a problem because it's used by both websites and Web browsers. Both must be reconfigured to prevent using SSL 3.0, and Poodle will remain a problem as long as SSL 3.0 is supported.
Once the most advanced form of Web encryption in use, the 15-year-old SSL 3.0 is used by few websites anymore, according to a study by the University of Michigan. However, Poodle still poses a threat because attackers can force browsers to downgrade to SSL 3.0.
Mozilla plans to disable SSL 3.0 in Firefox 34, the next version of the open-source browser. It's currently in beta testing, with a release planned for the end of November. Mozilla has been testing the change in its Aurora version of Firefox, the precursor to the beta version, and so far, "There has been much less screaming about this than I anticipated," said Mozilla's Martin Thomson on Wednesday, discussing the change on Mozilla's bug-tracker. Complaints would come from people who couldn't use Web sites that required SSL 3.0.
CNET News staff writer Stephen Shankland contributed to this report.