Google to shutter SSLv3, RC4 from SMTP servers, Gmail

Google Apps customers who still rely on SSLv3 or RC4 need to update to TLS or face the prospect of no longer being able to send out mail

Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.

After the deadline, Google's SMTP servers will no longer exchange mail with servers sending messages via SSLv3 and RC4. Users still using older and insecure mail clients won't be able to send mail using Google's SMTP servers after that date.

Most Google Apps organizations have already stopped using RC4 or SSLv3, but those on older systems have a month to update to modern Transport Layer Security configurations. However, there are plenty of systems still using SSLv3, including inbound/outbound gateways, third-party emailers, and systems using SMTP relay. Administrators should consider fully transitioning to newer standards as soon as possible.

"SSLv3 has been obsolete for over 16 years and is so full of known problems that the Internet Engineering Task Force [IETF] has decided that it must no longer be used. RC4 is a 28-year-old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used," Adam Langley, a security engineer at Google, said last fall as part of the initial announcement.

Weaknesses in the widely used RC4 cipher are well known. Researchers have demonstrated over the years that as faster computers with more processing power have made attacks against the RC4 cipher more practical and feasible than ever. While there aren't any publicly known feasible attacks against RC4, Microsoft, Mozilla, and Google have already taken steps to remove the cipher from their browsers.

TLS typically tries to negotiate a handshake using a strong cipher, but if the client trying to connect is using a weaker protocol, TLS will fall back to less robust alternatives. Back when browsers still supported RC4, they used the weak cipher when falling back from TLS 1.2/1.1 to TLS 1.0. Browsers now fail the connection entirely. The same will happen for the mail servers next month.

Secure Sockets Layer 3.0, defined in 1996, has been considered obsolete, with organizations being encouraged to transition to the more secure Transport Layer Security (TLS) protocol. Researchers found that the POODLE attack affects all block ciphers in SSL, which means SSLv3 was also affected. According to SSL Pulse, nearly 3 percent of sites are still vulnerable and exploitable to the POODLE attack.

If the prospect of no longer being able to send mail isn't dire enough to prompt an update, consider that moving from SSL to TLS (preferably TLS 1.2 or later) means also upgrading to the SHA-2 hashing algorithm at the same time. Google will begin blocking sites and applications using SHA-1 certificates as of Jan. 1, 2017, so the TLS transition actually takes care of removing two obsolete technologies at once.

Join the CSO newsletter!

Error: Please check your email address.

Tags Google

More about GoogleIETFInternet Engineering Task ForceMicrosoftMozillaTransport

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Fahmida Y. Rashid

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place