News

Microsoft Disabling SSL 3.0 in Azure Storage Next Month

• By Kurt Mackie
• 01/09/2015

Microsoft plans to disable Secure Sockets Layer (SSL) 3.0 encryption support in its Azure Storage service next month.

Azure Storage won't support the SSL 3.0 security protocol starting on Feb. 20, 2015, the company announced this week. If organizations still have browsers using that that protocol after February 20, then users could experience problems connecting to the Azure Storage service, according to the announcement:

Any client/browser that uses HTTPS to connect to Azure Storage and does not utilize TLS 1.0 or higher, which supersedes SSL 3.0, will be prevented from connecting to Azure Storage when SSL 3.0 is disabled. Clients/browsers currently using HTTP to connect to Azure Storage will not be affected.

The SSL 3.0 protocol, which is being replaced by the Transport Layer Security (TLS) protocol, is subject to a man-in-the-middle type of attack called "POODLE," or "Padding Oracle on Downgraded Legacy Encryption." It's an unlikely kind of attack that depends on compelling the use the older SSL 3.0 protocol in order to carry out an attack that could lead to information disclosure. Nonetheless, Microsoft has taken active measures to remove SSL 3.0 support from its various products, including Internet Explorer, Windows Server, Azure services and Office 365 services.

Microsoft lists all of its software potentially affected by the SSL 3.0 vulnerability in this security advisory. The advisory includes tips for disabling use of the protocol. A browser can be quickly tested for the vulnerability at this POODLE test page. Web servers can be tested for the vulnerability using Qualys' SSL Labs test service, which is free to use. The use of SSL Labs is recommended by Microsoft MVP André N. Klingsheim, who provides a thorough history of SSL/TLS configurations in Windows Server in this blog post. SSL Labs is maintained by application security researcher Ivan Ristić, who blogs about SSL issues at this page.

Microsoft announced it was planning to disable SSL 3.0 support in its various products back in October. At that time, it noted that its online services and Internet Explorer browser would start to lose support for the protocol on Dec. 1, 2014. Azure and Office 365 services were generally announced as losing support on that December 1 date, but it seems that the Azure Storage service was a bit of a laggard.

Microsoft provided a progress report on December 9 indicating that it had disabled SSL 3.0 in Azure Websites, Azure Portal, Azure Portal preview and Azure Service Bus. The company plans to disable SSL 3.0 in the "Guest OS" of Azure Web Roles and Worker Roles after it delivers an update the Guest OS, which will start getting delivered after Jan. 13, 2015.

Microsoft plans to disable SSL 3.0 in its other Azure services "in the coming months," according to its December 9 blog. No further details seem to be available.

While Microsoft is disabling SSL 3.0 in its products, some organizations may prefer to use a "URL rewrite approach" as a way to avoid the vulnerability, instead of just disabling SSL 3.0 use in software, which can potentially result in some end users experiencing connection problems. The use of a URL rewrite approach was described as an option by security expert and Microsoft MVP, Troy Hunt, in this blog post.

Unfortunately, the TLS protocol also can be subject to POODLE type attacks if SSL 3.0 padding is improperly used with it. Google security researcher Adam Langley described that problem back in December, noting that the problem had been seen in some F5 and A10 products. Those companies released patches to address the issue.