A “vulnerability in the design of SSL version 3.0” has been discovered in Google services.
The vulnerability allows the plain text of secure connections “to be calculated by a network attacker.” The issue was discovered by Google’s Bodo Möller, along with Googlers Thai Duong and Krzysztof Kotowicz.
This is not the first time where the SSL (the security protocol that the Internet uses for encryption and security) has had issues. Earlier this year, a bug in OpenSSL known as Heartbleed was publicly revealed. The bug affects SSL version 3.0, which Google notes is nearly 15 years old. It has been replaced by TLS 1.0 and TLS 1.1 and TLS 1.2, but the discovery is still a concern because most modern TLS implementations are still backward compatible with Open SSL 3.0
Most web browsers still support SSL 3.0 and can even drop-down to support the old protocol if something else is not working or if the use of the protocol is triggered by a network attacker.
Google says that disabling SSL 3.0 support is enough to mitigate the issue. However, this solution could cause compatibility issues. Therefore, the company has announced support for TLS_FALLBACK_SCSV, which will prevent SSL 3.0 from being used when a client attempts to retry a failed connection. Chrome has supported TLS_FALLBACK_SCSV since February and it will disable fallback to SSL 3.0. Sooner, Google expects to remove support for SSL 3.0 from all of its products.
On The Bright Side
Although the problem Google has discovered looks severe, the good news is that it can be mitigated by upgrading to a newer version of a web browser. In the case of Google Chrome, Mozilla Firefox and Opera, the automatic-updating nature of the browser means that users can get fixes quickly.
For websites that may break if SSL 3.0 support is dropped, the onus will be on those site maintainers to update their code to modern standards immediately.