Apple leashes POODLE in Apple Push Notification, pulls SSL 3.0

If iOS and OS X developers want their notifications to reach end users, they should start supporting TLS now.

Apple will drop support for the buggy SSL 3.0 from its Apple Push Notification (APNs) service, used to securely deliver remote notifications to iOS and OS X devices.

Following Apple's OS X fixes last week designed to resolve the recently-disclosed POODLE bug in the design of SSL 3.0, the company will remove support for the legacy protocol in APNs.

Read this

Where's the cheapest place in Europe to buy the new iPad Air 2 and iPad mini 3?

Surprisingly, Switzerland has the lowest prices in Europe for the latest iPad offerings from Apple.

Read More

Developers have about a week to prepare for the move, with Apple planning to drop SSL 3.0 support on October 29, according to its developer page. However, the shfit will only affect providers that do not yet support TLS — the newer protocol for encrypted IP connections. 

"Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected. Providers that support both TLS and SSL 3.0 will not be affected and require no changes," it said.

As the name suggests, APNs is responsible for sending notifications such as badges and custom alerts from app developers to iOS and OS X devices. APNs negotiates the transmission from the developer to the end user, and also handles the certificates and cryptographic key exchange to establish a TLS encrypted IP connection in both directions.

Google's security team earlier this month disclosed details of the POODLE bug after discovering that known biases in the encryption in SSL 3.0 allowed an attacker to calculate the plaintext of secure connections.

Despite being succeeded by multiple versions of TLS, SSL 3.0 remained supported by most browsers as a fall back protocol when a snag was hit while attempting to connect to HTTPS servers. While it was only a fall back protocol, as Google researchers noted, a network attacker can cause connection failures and therefore trigger the use of SSL 3.0 to exploit the weakness.

To mitigate the issue, a provider like Apple would need to disable SSL 3.0 support in Safari and its own servers, but as Google noted at the time, doing so presents "significant compatibility problems". Hence, Google opted to use a workaround for Chrome and our servers that prevented attackers from inducing browsers to use SSL 3.0 and prevented downgrades from TLS 1.2 to 1.1 or 1.0.

To prepare developers for the move, Apple said it has disabled SSL 3.0 on the Provider Communication interface in the development environment.

"Developers can immediately test in this development environment to make sure push notifications can be sent to applications."

Read more on this story