Apple announces end to SSL 3.0 notifications on October 29th in wake of POODLE vulnerability

Posted by:
Date: Thursday, October 23rd, 2014, 08:05
Category: iOS, News, security, Software


Sometimes you’ve got to drop back and punt.

Per the Apple developer web site and AppleInsider, Apple announced on Wednesday that it will be removing support for the SSL 3.0 protocol on its Apple Push Notification server.

Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TSL will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple’s Developer Portal.

Earlier this month, a vulnerability in the secure socket layer (SSL) version 3.0 was discovered by Google researchers. Called POODLE (Padding Oracle On Downgraded Legacy Encryption), the discovered exploit introduces false errors when using TSL, forcing secure connections to downgrade back to the aging SSL 3.0 protocol. Nefarious users can then take advantage of a design flaw in SSL 3.0 to skim sensitive data from users’ computers.

Apple subsequently rolled out workarounds protecting against possible attacks in the latest OS X Yosemite and iOS 8 software updates, as well as a security update for OS X Mavericks and Mountain Lion.

It’s interesting to see them drop support for an entire protocol, but this might be what’s needed to bring in a new level of security.

Stay tuned for additional details as they become available.

Recent Posts

One Response to “Apple announces end to SSL 3.0 notifications on October 29th in wake of POODLE vulnerability”

  1. RT @PowerPage: Apple announces end to SSL 3.0 support on October 29th in wake of POODLE vulnerability