Android 8.0 Oreo Drops Support for SSLv3
SSL is officially dead on Android, as the new version, Oreo 8.0, no longer supports SSLv3.
Google officially released the newest version of its Android mobile operating system, 8.0 Oreo, yesterday. This is the 8th major release of the Android OS and it comes with a number of improvements and new features.
As with the release of any new OS, we like to keep you up to date with the SSL and encryption-related changes that are taking place. There are two notable SSL/TLS security changes in Oreo:
- SSLv3 is no longer supported.
- When establishing an HTTPS connection to a server that incorrectly implements TLS protocol-version negotiation,
HttpsURLConnection
no longer attempts the workaround of falling back to earlier TLS protocol versions and retrying.
What Does Dropping SSLv3 Support Mean?
Well, to fully explain we need to start with a little background on SSL/TLS versions. SSL or Secure Sockets Layer was created by Netscape. The original version SSLv1 or SSL 1.0 was never even publicly released. SSLv2 or SSL 2.0 was released in 1995 and SSL 3.0 came in 1996.
Unfortunately, they were all found to be vulnerable, so by 1999, Transport Layer Security had been defined in RFC 2246 as a successor to SSL. That was TLS 1.0. We are about to begin the TLS 1.3 era.
Removing support for SSL 3.0 isn’t surprising, after all, it’s been deprecated since 2015. Frankly, continued support for these outmoded SSL protocol versions is a big security concern. Nobody should support SSLv3.
Still, there are going to be some site owners with outdated configurations that will be affected by this. So, this is probably a good time just to double-check your server configuration and make sure that you’re supporting the right protocols (and not any outdated ones).
The second change we covered – that during TLS protocol version negotiation Android 8.0 Oreo will no longer be an attempt to fallback to an earlier protocol version – further reiterates Google’s position that sites should keep their configurations up to date. It’s a legitimate security issue.
Always try to use the latest protocol version.
What We Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Google officially released Android 8.0 Oreo on September 21.
- This version of the mobile OS will not support SSLv3 (SSL 3.0).
- This is a good time to check your server configuration, specifically what protocols you support.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownA Call To Let’s Encrypt: Stop Issuing “PayPal” Certificates
in Industry Lowdown