Microsoft Planning To Disable SSL 3.0 Support in December
Microsoft gave notice today that it will disable Secure Sockets Layer (SSL) 3.0 support in its Internet Explorer browser and in its Online Services, starting on Dec. 1, 2014.
The announcement ramps up Microsoft's earlier advice to organizations about the SSL 3.0 vulnerability by establishing a firm cut-off date. SSL 3.0 is an older encryption standard that's associated with the HTTPS method for securing Web traffic. Researchers discovered a flaw in SSL 3.0 that can be exploited to carry out so-called "man-in-the-middle"-type attacks, which can lead to the exposure of security information, such as authentication cookies.
The SSL 3.0 exploit is thought to be difficult to carry out. An attacker would have to run hundreds of HTTPS requests to gain the information. But it looks like Microsoft is opting to be proactive in shutting it down, based on today's announcement.
"Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0," Microsoft's announcement explained.
In response to the vulnerability, Microsoft issued Security Advisory 3009008 earlier this month, which indicates that Windows and Windows Server can be affected by the SSL 3.0 flaw. The security advisory includes workaround advice for disabling SSL 3.0 in both IE and Windows. The SSL 3.0 flaw can also affect Azure Websites and Roles, as well as Virtual Machines.
Today, Microsoft revised that security advisory to include a downloadable "Fix it" MSI file, which is designed to make it easier to disable SSL 3.0 in IE versions. The Fix it can be accessed in this Knowledge Base article.
Microsoft's decision to cut off SSL 3.0 support in December means that IE browsers used with Azure and Office 365 services will have to use the Transport Layer Security (TLS) 1.0, or higher, protocol, going forward. Users might experience connection problems otherwise. The TLS protocol doesn't have this security flaw.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.