Note: Google wants to completely disable SSLv3 and RC4 traffic passwords
Google announced that this was the last time it adjusted the old Web security protocol. Specifically, Google plans to disable the Transport Layer Security Protocol SSLv3 and the RC4 stream password of the front-end server, and ultimately extend it to all its software, including Chrome, Android, email server, and Web Crawler programs. The RC4 and SSLv3 used by Internet task groups are considered insecure.
Google pointed out in its blog that SSLv3 has expired for 16 years. Although RC4 has not yet faced the same problem, it has recently become the main target of attack research. Considering its strength, IETF had banned the use of RC4 in TLS as early as February 2015. SSLv3 is a historical issue, but recently it was blocked by multiple parties due to POODLE attacks.
Google believes that many websites and browser users are still using these vulnerable protocols. According to the SSL Pulse survey in the blog, 200,000 of the top 58% HTTPS websites still have RC4 and 34% still have SSLv3.
According to Dr. Chase cunnhan, websites that do not disable SSLv3 are at risk of many attacks.
"Every website with these SSL operations will be under the threat of intermediary and download attacks. Therefore, anyone accessing this website may violate rules or be intercepted," cunnheim said. "This is not a good thing for companies that have websites well-known for such things. "
Google said it would slowly disable SSLv3 and RC4 on its front-end servers and eventually expand its reach to all products, including Chrome browsers. Although Google points out that your server depends on one of these protocols, TLS users should be able to automatically adapt to these changes.
On the contrary, Google has set minimum security requirements for its TLS 1.2 in terms of server identification, cipher suites, trust certificates, and certificate processing. To make these conversions easier, Google has prepared a test tool.
Cunnhan said that the changes Google has to make are not heavy and even easy for some companies, but they can play a major role in general. "Our company will make the entire transition over the weekend. Enterprises with a decent IT department can do IT in a short time, "cunnheim said. "This is a big project, at least from the old standard upgrade chain. This is a small step in the right direction, but it is very precious. "