Apple has announced that it will no longer support the security encryption standard known as SSL. More specifically SSL 3.0. Instead it’ll be integrating its push notification system. This all due to a flaw in SSL that could possibly expose data. The switch from SSL 3.0 to TLS (Transport Layer Security) will commence October 29th.
This flaw is known as “Poodle”, and stands for Padding Oracle On Downgraded Legacy Encryption. The security hole was originally found via Google researchers and is fully covered on this PDF. They realized that Poodle created false errors which forced certain connections to downgrade to this SSL protocol which then allowed for the skimming of data.
Poodle makes encrypted data exposed to certain hackers over a network connection. The attack can be done through browsers is a big concern, as this allows potential attackers to force entry to your encrypted data. Many other sites/browsers have followed suit. Twitter disabled SSL 3.0 already, while Mozilla asked users to download an add-on to get the job done, awaiting the next updated version to roll out. If you happen to be an Internet Explorer user, here’s a guide from University of Michigan researches, on how to disable the protocol yourself.
The Apple update is rolling out for OSX computers, and mobile iOS devices. A big switch, but with the risk of thousands of users having their data breached, it simply needed to be corrected with no further delay. This potential bug, which is not just affecting Apple users, can lead to big data leaks if sites/services don’t switch or find a patch to the vulnerability.
Additionally, Apple has warranted a note to developers to switch support to TLS as soon as possible in order to get push notifications within their apps working. A very important feature, when it comes to notifying users of new content for example. In a note Apple stated;
“Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected,” according to a note to developers.”
While it may be an issue for developers to update their apps, in order for push notifications to work, it’s certainly for the greater good. The more secured TLS protocol is supposedly is foolproof as of now & should ensure the needed encryption and security, according to experts.
As with any company that deals with millions of users, security is an utmost concern. Considering the fact that Apple controls a ton of data from users on OSX to mobile iOS, and recent iCloud breaches of nudes, this is something that should be taken seriously. The full statement from Apple can be read here on their Apple developer page.
They’ve gone ahead and set up a test environment for developers, to make sure they’re updates run efficiently, and that the switch assures push notifications will be up and running. On the user end, this is not causing any significant change to how you use and access push notifications, rather a change in the security layer of technology behind it all.
If you’re looking for an added layer of security, check out our review of the best VPN providers.