Testing has already begun in development environments

Oct 23, 2014 13:31 GMT  ·  By

In the wake of the recent disclosure of the POODLE attack, Apple issued a patch for OS X Yosemite (10.10) last week and took the decision to update the Push Notification service and drop server support for the SSL 3.0 cryptographic protocol.

The change is slated to occur next week, on October 29, and in an announcement on Wednesday, the company gave the heads up to providers relying on SSL 3.0 to deliver updates to clients through Apple’s service.

Providers supporting TLS are not affected

“In order to protect our users against a recently discovered security issue with SSL version 3.0 the Apple Push Notification server will remove support for SSL 3.0 on Wednesday, October 29. Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected,” says the announcement.

If providers include support for both SSL 3.0 and TLS, they remain unaffected by the modification.

Testing has already begun, as Apple turned off the protocol on the Provider Communication interface in the development environment in order to check if push notifications are received by the applications.

POODLE is a serious issue

The POODLE (Padding Oracle On Downgraded Legacy Encryption) attack has been devised by security experts at Google, who demonstrated that data could be extracted from connections secured through SSL 3.0.

The protocol has been considered insecure for a long time and has been replaced by the more trusted TLS, but it is still supported by some websites in order to avoid sending information to the clients in plain text.

However, the new attack represents the final nail in SSL’s coffin because of a weakness in the cipher-block chaining mode of the encryption algorithm, which allows byte-by-byte decryption of secure data. Cookies can be stolen this way, allowing an attacker to log in to an online service as if they were the owners of the account.

In order to steal the information, all an attacker has to do is use the man-in-the-middle (MitM) technique and intercept traffic from the target, such as the one from the client to a compromised WiFi, and force a downgrade of the protocol used for the communication.

This is easily achieved by network glitches that can be triggered by an attacker until communication over SSL 3.0 is achieved. Then, decryption of the information can begin.