8

I've read this article from Google's Online Security Blog, and it says that Google will disable support for SSLv3 and RC4.

Here's the reason:

SSLv3 has been obsolete for over 16 years and is so full of known problems that the IETF has decided that it must no longer be used. RC4 is a 28 year old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used.

  • When that happens, will we —the clients— have to do any kind of upgrade or configuration?
  • What can we do right now?

I'm not sure if I understand well, will HTTPS disappear, or is it only about encryption upgrades?

Also there is a 'requirements' section in the article

Specifically, we are requiring:

  1. TLS 1.2 must be supported.
  2. A Server Name Indication (SNI) extension must be included in the handshake and must contain the domain that's being connected to.
  3. The cipher suite TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 must be supported with P-256 and uncompressed points.
  4. At least the certificates in https://pki.google.com/roots.pem must be trusted.
  5. Certificate handling must be able to support DNS Subject Alternative Names and those SANs may include a single wildcard as the left-most label in the name.

As clients of domain name registrars and web hosting services, will we have to do any upgrade, or is this information only for them?

Basically, what I ask is: Should we get SSL Certificates for our websites still? If so, from where, or what version?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Jonathan Solorzano
  • 183
  • 4
  • 2
    HTTPS will not disappear, and you'll be fine unless you use a prehistoric browser that doesn't support anything newer than SSLv3 or RC4. – André Borie Sep 19 '15 at 16:28
  • So, what does that post means? @AndréBorie – Jonathan Solorzano Sep 19 '15 at 17:02
  • 1
    Use browsers that fully support TLS. the higher the version the better. All the rest should take care of itself. – Fiasco Labs Sep 20 '15 at 07:04
  • That list of "requirements" is for some unspecified time "in the coming years". Right now you only need to deal with SSL3 (no), RC4 (no), and SHA2 (yes) as linked in the post and detailed in @gowenfawr answer, and *maybe* RSA-2048 (see my comment). – dave_thompson_085 Sep 20 '15 at 08:26

1 Answers1

12

Basically what I ask is: Should we get SSL Certificates for our websites still?

Yes, absolutely. TLS is simply a newer version of SSL, and they both use the same certificates.

An aside on the names - SSL was a Netscape protocol. When it got mainstreamed as an RFC, they made some minor tweaks and renamed it TLS so that it wouldn't be confused with a "proprietary standard." But in practice, people have used the terms SSL to refer to TLS and vice versa for years. Only now, as we're getting serious about retiring the final SSLv3 protocol, is the confusion starting to cause problems.

If so, from where, or what version?

You'll continue to get certificates from the same Certificate Authorities (CAs) like Verisign, Entrust, Comodo, etc. etc. Aside from the SSL->TLS change, certificates now need to use SHA-2 instead of older hashing protocols like SHA-1. Your CA should be issuing any new certificates with SHA-2, and should be able to help you navigate the change.

When [SSLv3 is retired], will we —the clients— have to do any kind of upgrade or configuration?

If you're using a regular web browser, you're probably fine. Only very old web browsers will have problems because of SSLv3 disappearing, IE6 on Windows XP being the biggie people talk about.

If you're using custom clients like Java code, curl, wget, openssl - then you probably need to be using a newer version. The problem is that when someone codes an SSL client in Java, they're generally not updating it often because updating Java is hell. So custom clients are going to have problems.

schroeder
  • 123,438
  • 55
  • 284
  • 319
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • Oh i see, then if i register a new domain name, and i add it a ssl cert, i would expect the registrar to handle the tls/ssl upgrades? – Jonathan Solorzano Sep 19 '15 at 18:19
  • 2
    @JonathanS. if your registrar is setting up the domain for you, yes. If you're hosting your own server, then the CA should give you a SHA-2 cert and you should configure your web server to use TLSv1+ instead of SSLv3 – gowenfawr Sep 19 '15 at 18:35
  • 2
    One point not to forget: If you are using RSA, like most people but not everybody, you soon will be required to use a key of 2048 bits (or more, but few bother with more). CAs have been enforcing that since beginning of 2014, so if you have gotten your cert recently you are already okay; if not you will need to *generate a new keypair AND* get a new cert. Also: if your SSL/TLS server is public, https://www.ssllabs.com/ssltest will do a thorough test and tell you if you have problems and approximately how serious they are. – dave_thompson_085 Sep 20 '15 at 08:32