Microsoft today announced it will disable IE11’s fallback to version 3 of the SSL protocol two months from now: on February 10, 2015. Yet the company still has no date for removing SSL 3.0 completely from IE.
The race to kill off support for this version of the protocol comes after Google disclosed a serious security vulnerability in SSL 3.0 on October 14, the attack it dubbed Padding Oracle On Downgraded Legacy Encryption (POODLE). Fallback back to SSL 3.0 is used to support buggy HTTPS servers.
When a browser connects to an HTTPS website, it will first try to do so by using the highest available encryption protocol; if that fails during the handshake, it will fall back and retry the connection with a lower encryption protocol. That will eventually be SSL 3.0, which, as already mentioned, is vulnerable to exploit.
Microsoft’s initial reaction was to declare it was “working to disable fallback to SSL 3.0 in IE, and disable SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.” That was on October 29, and the message is largely the same today, on December 9. Today’s announcement underlines how slow Microsoft’s reaction is compared to competitors.
Mozilla has been even faster. The organization decided, on the same day as the flaw was announced, to disable SSL 3.0 by default; the company didn’t even mess around with fallback to SSL 3.0. It then delivered on its plan with the release of Firefox 34 on December 1.
Thanks to an update released today, IE users have the option block SSL 3.0 fallback in IE11 and enterprise customers can configure this behavior via Group Policy. Yet most users won’t do this, and so the wait continues for default changes.
We understand Microsoft has enterprise customers it needs to support. But when it comes to security, the company needs to move faster: SSL 3.0 should be scrapped completely, and long before February 10.