Apple Dropping SSL 3.0 for Push Notifications in Wake of Poodle Security Flaw

Apple plans to drop support for SSL 3.0 for Push notifications following the discovery of the Poodle SSL 3.0 security flaw. The Mac, iPhone and iPad maker will transition to TLS on October 29, and is warning developers to update their apps to support the more secure protocol.

Apple dropping Push notification support to avoid Poodle SSL security flawApple dropping Push notification support to avoid Poodle SSL security flaw

In a note to developers, Apple said,

In order to protect our users against a recently discovered security issue with SSL version 3.0 the Apple Push Notification server will remove support for SSL 3.0 on Wednesday, October 29. Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected. Providers that support both TLS and SSL 3.0 will not be affected and require no changes.

SSL ant TLS are both protocols designed to create secure and encrypted connections between user's computers and servers so sensitive information, like passwords, can't be intercepted. After the discovery of major SSL-related security issues like Heartbleed and Shellshock, the push to move to the newer and more secure TLS protocol has gained momentum.

Poodle works by tricking victim's computers into thinking they can't maintain a secure TLS connection to servers, causing them to fall back to the less secure SSL 3.0 protocol. Attackers can then take control over session authentication cookies and intercept and read what victims thought was encrypted data.

The fix for the issue is to disable SSL 3.0 support in apps, which Apple and Google have already done for their Web browsers. Apple is now doing the same for its Push notification system which is used for sending alerts to user's iOS and OS X devices.

Developers can test their apps for TLS compatibility through Apple's Provider Communication interface in the app development environment. Apps that aren't compatible won't be able to send Push notifications after October 29.