Sergey Nivens - Fotolia

Google wants sites to disable SSLv3 to boost Web security

Google is trying to drag Web security into 2008 by asking sites to disable SSLv3 and RC4, and setting a minimum transfer security protocol of TLS 1.2.

Google says it is finally time to put away old web security protocols for good. Specifically, Google plans to disable support for the transport layer security protocol SSLv3 and for the RC4 stream cipher in their front-end servers and, eventually, in all their software offerings including Chrome, Android, email servers and web crawlers. Both RC4 and SSLv3 have been deemed unsafe for use by the Internet Engineering Task Force (IETF).

Google noted in a blog post that SSLv3 has been "obsolete" for 16 years, and while RC4 hasn't had the same security issues, it has been the subject of attack research recently. Due to concerns about its strength, the IETF actually banned RC4 from use in TLS in February 2015. SSLv3 has a history of security issues and most recently was disabled by many because of POODLE attacks.

Google thinks too many sites and browser clients still support the vulnerable protocols. According to an SSL Pulse survey cited in the blog post, of the top 200,000 HTTPS sites, 58% still have RC4 enabled and 65% of sites have SSLv3 enabled.

According to Dr. Chase Cunningham, threat intelligence lead for Armor (formerly known as FireHost), sites that have not disabled SSLv3 are at risk for various attacks.

"Each site that left that old SSL running would be open to man-in-the-middle and downgrade type attacks, therefore anyone who visited that site could be open to compromise or traffic interception," Cunningham said. "Not good for the company that owns the site to be noted for that type of thing."

Google said it will slowly be disabling SSLv3 and RC4 support on its front-end servers and will eventually disable support across all of its products, including the Chrome browser. Though, Google does note that unless your servers depend on one of these protocols, a TLS client should be able to automatically adjust to the changes.

Instead, Google is setting the minimum security requirement of TLS 1.2 along rules for server identification, cipher suites, trusted certificates and certificate handling. In order to make the transition easier, Google has set up a testing tool.

Cunningham said the changes that Google is asking for are not onerous at all, and should be relatively easy to implement for individual organizations, but overall could make a big difference.

"Our organization did the entire transition in a weekend.  Any organization with a decent IT department should be able to do this in a short amount of time," Cunningham said. "This is a large undertaking so at least moving up the chain from the old standard is a start. It's a small step in the right direction, but a solid one."

Next Steps

Learn about making a migration plan from SSL to TLS 1.2 for PCI DSS 3.1

Dig Deeper on Web security tools and best practices