Google has announced that in the “medium term” it will disable support for both SSLv3 and the RC4 cipher. The move — which has been expected for months — will mean that at some point in the not too distant future, services, servers, and sites that rely on either of these outdated technologies will cease to work with Google’s services (including APIs ) and applications.
SSLv3 has long been condemned as fundamentally insecure. The Internet Engineering Task Force has deprecated its use and forcefully stated that “any version of TLS is more secure.”
Until recently, many browsers and other web clients offered support for SSLv3, but in the wake of the Poodle vulnerability, which relied on forcing a downgrade to the vulnerable protocol, most — including Google Chrome — removed support. The recent announcement is just the logical conclusion of a strategy of gradual removal of SSLv3 from the web.
Any services that depend on SSLv3 should be updated immediately and are likely to stop working with Google products if they are not.
RC4 is a stream cipher that has been used for SSL encryption. It’s been considered vulnerable for decades, but is still supported to maintain compatibility with legacy applications. The removal of RC4 support from Google products shouldn’t cause much of a problem for existing servers as long as they also provide alternative ciphers. As Google’s announcement clarifies:
“… just because you might be using RC4 today doesn’t mean that your client or website will stop working: TLS can negotiate cipher suites and problems will only occur if you don’t support anything but RC4.”
Along with the announcement of its intention to disable RC4 and SSLv3, Google also released a set of minimum standards for TLS clients. The standards indicate the minimum level of TLS security that Google intends to support over the next five years (although the company isn’t making any promises on that).
The standards include support for TLS 1.2 and Server Name Indication (SNI).
If you’d like to find out whether your TLS client meets these standards, Google has created a test site that requires the most important standards to be implemented before a successful connection can be made. If your client can’t connect to this site, then it’s likely it will stop working on all Google properties in the next few years.
In a nutshell, if your service or application depends on the seriously outdated SSLv3 or RC4 technologies then firstly, you should have updated years ago, and secondly, you can expect it to stop working with Google services in the medium-term. If your TLS clients and services don’t adhere to Google’s minimum standards, they’ll stop working at some indeterminate point in the future. If it does adhere to the standards, you’ve probably got until 2020.