On Wednesday, October 22nd, Apple announced on its developer website that they will be removing support for SSL 3.0 on its Push Notification Server in favor of Transport Layer Security (TLS). This is due to a vulnerability known as Padding Oracle On Downgraded Legacy Encryption (POODLE).
Earlier this month, the POODLE vulnerability in SSL 3.0 was discovered by Google Researchers. This exploit introduces false errors when using TLS, forcing secure connections to downgrade to SSL 3.0. This allows unsavory characters to take advantage of a design flaw in SSL 3.0 and skim sensitive data from users’ computers. Even though SSL 3.0 has been succeeded by multiple versions of TLS, it still remains supported by most browsers as a backup protocol when attempting to connect to HTTPS Servers. While it was only a backup protocol, the researchers noted that an attacker can cause failures to happen and trigger the use of SSL 3.0. Therefore, exploiting the weakness.
In order to prevent the issue, Apple has disabled support for SSL 3.0. They issued a statement on the Provider Communication interface available to developers stating, “Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected. Providers that support both TLS and SSL 3.0 will not be affected and require no changes.”
The switch is scheduled to happen on October 29th.
Image credit: The Whir