Apple to drop SSL 3.0 support for push notifications on Oct. 29 due to POODLE vulnerability

Posted:
in General Discussion edited October 2014
In response to a recently discovered vulnerability with SSL version 3.0, Apple on Wednesday announced through its developer website that it will be removing support for the protocol on its Apple Push Notification server.




Apple will be switching off SSL 3.0 support in favor of the more secure transport layer security (TSL) protocol on Wednesday, Oct. 29, noting developers will have to build in support by that time to ensure uninterrupted push notification service continues.

Apps currently using both SSL 3.0 and TLS will not be affected by the change, but those using just SSL 3.0 will need to be updated.

Apple has disabled SSL 3.0 on the Provider Communication interface in the developer environment, offering developers a way to check their apps for compatibility. More information is available through Apple's Developer Portal.

Earlier this month, a vulnerability in the secure socket layer (SSL) version 3.0 was discovered by Google researchers, reports Computerworld. Called POODLE (Padding Oracle On Downgraded Legacy Encryption), the discovered exploit introduces false errors when using TSL, forcing secure connections to downgrade back to the aging SSL 3.0 protocol. Nefarious users can then take advantage of a design flaw in SSL 3.0 to skim sensitive data from users' computers.

Apple subsequently rolled out workarounds protecting against possible attacks in the latest OS X Yosemite and iOS 8 software updates, as well as a security update for OS X Mavericks and Mountain Lion.
«1

Comments

  • Reply 1 of 21
    christophbchristophb Posts: 1,482member
    Transport Layer Security [B](TSL)[/B]? That's gotta be 1.0...
  • Reply 2 of 21

    In before somebody complains about app updates: I believe this is only for the interface between the servers sending the push message to Apple's servers. In the worst case, the developers can implement a proxy in front of their servers.

  • Reply 3 of 21
    MacProMacPro Posts: 19,712member
    Apple seem to react pretty quickly to these things. Very impressive.

    On a side note: It's a shame POODLE is taken, it would have been a great name for the next version of Assdroid. They surely can't keep using 9 year old's favorite snacks can they? Then again, rat might be more succinct ...
  • Reply 4 of 21
    gatorguygatorguy Posts: 24,153member
    Apple seem to react pretty quickly to these things. Very impressive.

    On a side note: It's a shame POODLE is taken, it would have been a great name for the next version of Assdroid. They surely can't keep using 9 year old's favorite snacks can they? Then again, rat might be more succinct ...

    Since you couldn't resist a 'but...but...but Android" mention isn't it great that the "Assdroid" creator discovered this and advised Apple of the details so they could put a fix in place? Wouldn't be surprising that Apple thanked them. None of these techs could exist in a vacuum.
  • Reply 5 of 21
    MacProMacPro Posts: 19,712member
    gatorguy wrote: »
    Since you couldn't resist

    Can you suggest a good Android fan site that I can spend half of my life on reading and posting intellectually stunning anti-Google comments and pro Apple arguments ... Oh wait, don't bother, i have a life.
  • Reply 6 of 21
    christophb wrote: »
    Transport Layer Security (TSL)? That's gotta be 1.0...

    TLS. Non technical writers were volved. :lol:
  • Reply 7 of 21
    gatorguygatorguy Posts: 24,153member
    Can you suggest a good Android fan site that I can spend half of my life on reading and posting intellectually stunning anti-Google comments and pro Apple arguments ... Oh wait, don't bother, i have a life.

    No meed to go anywhere else to learn about Android or Google. AI has plenty of news to report on them, nearly a daily event, and some of the wittiest comments originate here. (Marvin's "the only thing more insecure" is one the the best ever) What news is missed gets mentioned by you and others so I think everything gets covered pretty well.
  • Reply 8 of 21
    ibeamibeam Posts: 322member
    Quote:

    Originally Posted by digitalclips View Post





    Can you suggest a good Android fan site that I can spend half of my life on reading and posting intellectually stunning anti-Google comments and pro Apple arguments ... Oh wait, don't bother, i have a life.

    He actually has a point. Google is often first to discover new vulnerabilities. We just spent 100+ hours fixing UNIX vulnerabilities discovered by Google. We were not happy about all that lost productivity but it was necessary ...thanks to Google for discovering the issue.

  • Reply 9 of 21
    gatorguygatorguy Posts: 24,153member
    ibeam wrote: »
    He actually has a point. Google is often first to discover new vulnerabilities. We just spent 100+ hours fixing UNIX vulnerabilities discovered by Google. We were not happy about all that lost productivity but it was necessary ...thanks to Google for discovering the issue.

    BTW, if interested the security blog discussion of Poodle and how to address the 18 year old exploit:
    http://googleonlinesecurity.blogspot.com/2014/10/this-poodle-bites-exploiting-ssl-30.html
  • Reply 10 of 21
    I'm running OS X Yosemite beta. Now I want to download public version of Yosemite. How can I install
  • Reply 11 of 21
    ijoynerijoyner Posts: 135member
    It's TLS actually.
  • Reply 12 of 21
    MacProMacPro Posts: 19,712member
    ibeam wrote: »
    He actually has a point. Google is often first to discover new vulnerabilities. We just spent 100+ hours fixing UNIX vulnerabilities discovered by Google. We were not happy about all that lost productivity but it was necessary ...thanks to Google for discovering the issue.

    He has many good points, no argument there. Let me ask you this ... would you spend all day, everyday on a prestigious Android blog waiting to defend Apple at every turn, researching to find any link that might put down a pro Android comment, having the patience to intelligently argue with every smart person on the blog that likes Android and dislikes Apple? If not ask yourself what would entice you to do it?
  • Reply 13 of 21
    tbelltbell Posts: 3,146member
    ibeam wrote: »
    He actually has a point. Google is often first to discover new vulnerabilities. We just spent 100+ hours fixing UNIX vulnerabilities discovered by Google. We were not happy about all that lost productivity but it was necessary ...thanks to Google for discovering the issue.



    It is like thanking a thief for picking up some trash on your floor and throwing it out before they leave with the goods they stole.
  • Reply 14 of 21
    MacProMacPro Posts: 19,712member
    tbell wrote: »
    It is like thanking a thief for picking up some trash on your floor and throwing it out before they leave with the goods they stole.

    I like that analogy. :smokey:
  • Reply 15 of 21
    Quote:

    Originally Posted by digitalclips View Post





    He has many good points, no argument there. Let me ask you this ... would you spend all day, everyday on a prestigious Android blog waiting to defend Apple at every turn, researching to find any link that might put down a pro Android comment, having the patience to intelligently argue with every smart person on the blog that likes Android and dislikes Apple? If not ask yourself what would entice you to do it?

     

    I would love to live in your world of black-and-white thinking.

  • Reply 16 of 21
    Originally Posted by emoeric87 View Post

    I would love to live in your world of black-and-white thinking.


     

    How is that even relevant to what he said?

  • Reply 17 of 21
    Quote:

    Originally Posted by Tallest Skil View Post

     

     

    How is that even relevant to what he said?


    I don't know. Maybe ibeam has a history of making *disparaging* remarks about Apple on this forum. But boy, does digitalclips not like it when any positive word is written about Google (Android).

     

    Black-and-white thinking means not being able to see the nuance in most everyday realities. The article doesn't mention Android even once, but digitalclips didn't waste any time using it as an opportunity to revert back to kindergarten and crap on the the "assdroid" platform——as if it has offended him on a personal level! I mean dang. He's actually spend time thinking about that made up word!

  • Reply 18 of 21
    ibeamibeam Posts: 322member
    Quote:

    Originally Posted by digitalclips View Post





    He has many good points, no argument there. Let me ask you this ... would you spend all day, everyday on a prestigious Android blog waiting to defend Apple at every turn, researching to find any link that might put down a pro Android comment, having the patience to intelligently argue with every smart person on the blog that likes Android and dislikes Apple? If not ask yourself what would entice you to do it?

    Is there such a thing as a prestigious Android blog?

  • Reply 19 of 21
    ibeamibeam Posts: 322member
    Quote:
    Originally Posted by TBell View Post





    It is like thanking a thief for picking up some trash on your floor and throwing it out before they leave with the goods they stole.

    Google has done a few sleazy things which no one can defend, like crawling through personal wifis while supposedly collecting street view data and also when they got caught exploiting Safari privacy settings with their sneaky Javascript auto submit form in the background.

     

    So maybe the analogy is that the thief, after breaking into your house, leaves a sticky note on the inside of your front door saying you really should upgrade this lock, it is easy to compromise. We know because we have a lot of experience in this matter.

  • Reply 20 of 21
    Quote:

    Originally Posted by digitalclips View Post





    He has many good points, no argument there. Let me ask you this ... would you spend all day, everyday on a prestigious Android blog waiting to defend Apple at every turn, researching to find any link that might put down a pro Android comment, having the patience to intelligently argue with every smart person on the blog that likes Android and dislikes Apple? If not ask yourself what would entice you to do it?

    The viewership of AI reflects the fact that AI is much more concerned with Android than Android sites are with Apple. For instance, the most recent story on AndroidPolice mentioning "iPad" dates back to May 15. 

Sign In or Register to comment.