Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company’s online services soon.
The security and utility of SSLv3 has been an issue for a long time, but it came into sharper focus earlier this month when researchers at Google released details of a new attack known as POODLE that enables an attacker to decrypt protected content under certain circumstances. If an attacker has control of a target’s Internet connection and can force the victim to run some Javascript in her browser, then he can eventually decrypt the content of a session protected by SSLv3. To do so, the attacker needs to be able to force a connection using the outdated protocol, and that can be done by forcing a failed secure connection between a server and client, which will trigger the server to try and renegotiate the secure connection using a different protocol.
SSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn’t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.
“We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,” Tracey Pretorius of the MSRC said in a blog post.
“Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.”
Microsoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.
