Apple to drop SSL 3.0 support for push notifications on Oct. 29 due to POODLE vulnerabilityIn response to a recently discovered vulnerability with SSL version 3.0, Apple on Wednesday announced through its developer website that it will be removing support for the protocol on its Apple Push Notification server.
Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.
Apps currently using both SSL 3.0 and TLS will not be affected by the change, but those using just SSL 3.0 will need to be updated.
Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple's Developer Portal.
Earlier this month, a vulnerability in the secure socket layer (SSL) version 3.0 was discovered by Google researchers, reports Computerworld. Called POODLE (Padding Oracle On Downgraded Legacy Encryption), the discovered exploit introduces false errors when using TSL, forcing secure connections to downgrade back to the aging SSL 3.0 protocol. Nefarious users can then take advantage of a design flaw in SSL 3.0 to skim sensitive data from users' computers.
Apple subsequently rolled out workarounds protecting against possible attacks in the latest OS X Yosemite and iOS 8 software updates, as well as a security update for OS X Mavericks and Mountain Lion.