SSL is dead, long live TLS!

With today’s widespread announcement of the POODLE attack (Padding Oracle On Downgraded Legacy Encryption), it is apparent that SSL 3.0 is dead. The POODLE attack allows a slow but significant leaking of sensitive data which effectively makes the last remaining safe ciphers for SSL insecure.

For reference, there is SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS1.1 and TLS 1.2. “TLS” came about when the IETF took over the specification. SSL v1 and v2 were already considered insecure, and there were only a few remaining safe ciphers for SSL v3. So SSL was already on its last legs, and in security circles it was generally expected that something like this would happen: a single issue would be discovered that would eliminate the last remaining safe uses for SSL.

Because the SSL issue is a “downgrade” attack, it means that keeping it turned on — even for legacy clients that don’t support TLS — poses a security risk to connections using TLS as well. More technical details can be found in this great PDF by Google. For this reason we’ve turned SSL off entirely on all infrastructure we manage (and so will the rest of the Internet). Firefox and Chrome have announced that they will be eliminating support for SSL in future versions.

The Best Casualty: Internet Explorer 6

The good news is that TLS is already widely deployed and even moderately up-to-date systems will not notice the loss of SSL support. With one exception:

IE6, widely loathed by web developers for its idiosyncrasies, is a browser that would simply not go away soon enough. Since IE6 does not support TLS, this effectively renders the browser broken and soon to be useless: once sites finish disabling SSL v3 (which is happening right now) IE6 will no longer be able to connect to HTTPS URLs at all.