SSL is officially dead on Android, as the new version, Oreo 8.0, no longer supports SSLv3.
Google officially released the newest version of its Android mobile operating system, 8.0 Oreo, yesterday. This is the 8th major release of the Android OS and it comes with a number of improvements and new features.
As with the release of any new OS, we like to keep you up to date with the SSL and encryption-related changes that are taking place. There are two notable SSL/TLS security changes in Oreo:
- SSLv3 is no longer supported.
- When establishing an HTTPS connection to a server that incorrectly implements TLS protocol-version negotiation,
HttpsURLConnectionno longer attempts the workaround of falling back to earlier TLS protocol versions and retrying.
What Does Dropping SSLv3 Support Mean?
Well, to fully explain we need to start with a little background on SSL/TLS versions. SSL or Secure Sockets Layer was created by Netscape. The original version SSLv1 or SSL 1.0 was never even publicly released. SSLv2 or SSL 2.0 was released in 1995 and SSL 3.0 came in 1996.
Unfortunately, they were all found to be vulnerable, so by 1999, Transport Layer Security had been defined in RFC 2246 as a successor to SSL. That was TLS 1.0. We are about to begin the TLS 1.3 era.
Removing support for SSL 3.0 isn’t surprising, after all, it’s been deprecated since 2015. Frankly, continued support for these outmoded SSL protocol versions is a big security concern. Nobody should support SSLv3.
Still, there are going to be some site owners with outdated configurations that will be affected by this. So, this is probably a good time just to double-check your server configuration and make sure that you’re supporting the right protocols (and not any outdated ones).
The second change we covered – that during TLS protocol version negotiation Android 8.0 Oreo will no longer be an attempt to fallback to an earlier protocol version – further reiterates Google’s position that sites should keep their configurations up to date. It’s a legitimate security issue.
Always try to use the latest protocol version.
What We Hashed Out (for Skimmers)
Here’s what we covered in today’s discussion:
- Google officially released Android 8.0 Oreo on September 21.
- This version of the mobile OS will not support SSLv3 (SSL 3.0).
- This is a good time to check your server configuration, specifically what protocols you support.