AppleInsider Staff
In response to a recently discovered vulnerability with SSL version 3.0, Apple on Wednesday announced through its developer website that it will be removing support for the protocol on its Apple Push Notification server.
Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.
Apps currently using both SSL 3.0 and TLS will not be affected by the change, but those using just SSL 3.0 will need to be updated.
Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple's Developer Portal.
Earlier this month, a vulnerability in the secure socket layer (SSL) version 3.0 was discovered by Google researchers, reports Computerworld. Called POODLE (Padding Oracle On Downgraded Legacy Encryption), the discovered exploit introduces false errors when using TSL, forcing secure connections to downgrade back to the aging SSL 3.0 protocol. Nefarious users can then take advantage of a design flaw in SSL 3.0 to skim sensitive data from users' computers.
Apple subsequently rolled out workarounds protecting against possible attacks in the latest OS X Yosemite and iOS 8 software updates, as well as a security update for OS X Mavericks and Mountain Lion.
Andrew Orr
Christine McKee
Sponsored Content
Wesley Hilliard
Amber Neely
21 Comments
Transport Layer Security [B](TSL)[/B]? That's gotta be 1.0...
In before somebody complains about app updates: I believe this is only for the interface between the servers sending the push message to Apple's servers. In the worst case, the developers can implement a proxy in front of their servers.
Apple seem to react pretty quickly to these things. Very impressive. On a side note: It's a shame POODLE is taken, it would have been a great name for the next version of Assdroid. They surely can't keep using 9 year old's favorite snacks can they? Then again, rat might be more succinct ...
[quote name="digitalclips" url="/t/182996/apple-to-drop-ssl-3-0-support-for-push-notifications-on-oct-29-due-to-poodle-vulnerability#post_2625608"]Apple seem to react pretty quickly to these things. Very impressive. On a side note: It's a shame POODLE is taken, it would have been a great name for the next version of Assdroid. They surely can't keep using 9 year old's favorite snacks can they? Then again, rat might be more succinct ...[/quote] Since you couldn't resist a 'but...but...but Android" mention isn't it great that the "Assdroid" creator discovered this and advised Apple of the details so they could put a fix in place? Wouldn't be surprising that Apple thanked them. None of these techs could exist in a vacuum.
[quote name="Gatorguy" url="/t/182996/apple-to-drop-ssl-3-0-support-for-push-notifications-on-oct-29-due-to-poodle-vulnerability#post_2625615"] Since you couldn't resist [/quote] Can you suggest a good Android fan site that I can spend half of my life on reading and posting intellectually stunning anti-Google comments and pro Apple arguments ... Oh wait, don't bother, i have a life.