Google to Kill Off SSL 3.0 in Chrome 40
If you still allow old versions of ssl to be used in your enterprise due to outdated applications or hardware deficiencies then you need to migrate to TLS 1.2 and disallow insecure SSL 3.0 and lower connections that use short cryptographic keys.
You also need to be very aware that several well known web services and applications just one or two versions down sometimes come with old versions of SSL embedded in Apache Tomcat services. A good scanner such as Nessus will reveal that an insecure version of Apache (or whatever) SSL is being used with shorter keys, but it won’t tell you which app is the culprit so you are going to have to monitor the transactions to trace them back if you are not sure which one it is. This is especially true if your app vendor is not coming clean about it. Longer keys take more server resource to crypt/decrypt so be prepared for a potential performance hit after you upgrade.
The decision comes after Google security researchers recently discovered a dangerous design flaw in SSL 3.0. Dubbed “POODLE,” the vulnerability allows a man-in-the-middle attacker to recover sensitive, plain text information like authentication cookies, from a HTTPS (HTTP Secure) connection encrypted with SSLv3.
Even though POODLE is the biggest security issue found in SSL 3.0 so far, it is not the protocol’s only weakness. SSL version 3 was designed in the mid-1990s and supports outdated cipher suites that are now considered insecure from a cryptographic standpoint.
HTTPS connections today typically use TLS (Transport Layer Security) versions 1.0, 1.1 or 1.2. However, many browsers and servers have retained their support for SSL 3.0 over the years — browsers to support secure connections with old servers and servers to support secure connections with old browsers.