Microsoft is planning to disable support for the weak SSLv3 protocol in Internet Explorer at some undetermined point in the future, and also will remove support for it in the company’s online services soon.
SSLv3 is nearly 15 years old and experts have considered it to be a security risk for a long time and have recommended that site operators use newer alternatives such as TLS 1.2. But there are plenty of sites that still support SSLv3 and IE 6, an artifact of a browser, doesn’t support any transport layer security protocols newer than SSLv3 by default. Microsoft officials said the company is planning to remove the ability for IE to fall back to SSLv3 and eventually will disable the protocol by default altogether.
“We are committed to helping protect our customers and providing the best possible encryption to protect their data. To do this, we’re working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months,” Tracey Pretorius of the MSRC said in a blog post.
“Millions of people and thousands of organizations around the world rely on our products and services every day, and while the number of systems that rely on SSL 3.0 exclusively is very small, we recognize that, particularly for enterprises, disabling the protocol may cause some impact. That’s why we’re taking a planned approach to this issue and providing customers with advance notice.”
Microsoft also is providing a FixIt tool that allows users to disable SSLv3 support in any supported version of IE.