Google said that it will initiate on June 16 a gradual deprecation of SSLv3 and RC4 for Gmail IMAP/POP mail clients.
Both the crypto protocols cipher are notoriously unsafe and are being phased out in big chunks of the Internet. Google, for its part, had already announced in May that it would no longer support SSLv3 and RC4 connections for Gmail SMTP.
“Unlike Gmail SMTP, this change will be rolled out as a gradual change, where it may take longer than 30 days for users to be fully restricted from connecting to Gmail from SSLv3 or RC4 connections; however, we recommend updating your clients soon in order to avoid any potential disruption,” Google said this week in an announcement.
Google does note that most mail clients already default to safer TLS connections, and most will not be affected by the impending changes.
Those that do make insecure connections should expect to see errors starting next Thursday. Google recommends upgrading to clients that support TLS 1.2, include a Server Name Indication in the handshake, and must trust at a minimum the certificates in Google’s root certificate list. Google, in September 2015, published a complete list of recommendations.
RC4 is long in the tooth, 30 years old, and academics and hackers have been finding weak spots in the cipher for years. At last summer’s USENIX Security Symposium, researchers from Belgium’s University of Leuven disclosed new attacks against RC4 that allow attackers to capture and decrypt cookies quicker than ever before.
The paper “All Your Biases Belong To Us: Breaking RC4 in WPA-TKIP and TLS,” written by Mathy Vanhoef and Frank Piessens, explains the discovery of new biases in the algorithm that led to attacks breaking encryption on websites running TLS with RC4, as well as the WPA-TKIP, the Wi-Fi Protected Access Temporal Key Integrity Protocol, in order to recover cookies.
Their research dramatically improves on prior work in this area, allowing them to decrypt a cookie inside of 75 hours, making the attacks practical, they said. Against real devices, they said they were able to trim attacks down to 52 hours. The researchers said that in order to pull off an attack, a number of encrypted cookies must be captured from the TLS stream and converted into likely cookie values that are brute-forced until the right one is found.
Attacks such as POODLE and BEAST have shed a harsh light on the insecurity of SSLv3. In both instances, attackers were able to force a fallback to the weaker protocol making it easier for hackers to decrypt traffic secured by SSLv3. With the POODLE attacks, hackers could force an unsuccessful connection and make the server use SSLv3, and then execute the attack.
Browser makers quickly moved to remove SSLv3 support within weeks of the POODLE in particular.