Google to shutter SSLv3, RC4 from SMTP servers, Gmail

Mark your calendars: Google will disable support for the RC4 stream cipher and the SSLv3 protocol on its SMTP servers and Gmail servers on June 16.

After the deadline, Google’s SMTP servers will no longer exchange mail with servers sending messages via SSLv3 and RC4. Users still using older and insecure mail clients won’t be able to send mail using Google’s SMTP servers after that date.

Most Google Apps organizations have already stopped using RC4 or SSLv3, but those on older systems have a month to update to modern Transport Layer Security configurations. However, there are plenty of systems still using SSLv3, including inbound/outbound gateways, third-party emailers, and systems using SMTP relay. Administrators should consider fully transitioning to newer standards as soon as possible.

“SSLv3 has been obsolete for over 16 years and is so full of known problems that the Internet Engineering Task Force [IETF] has decided that it must no longer be used. RC4 is a 28-year-old cipher that has done remarkably well, but is now the subject of multiple attacks at security conferences. The IETF has decided that RC4 also warrants a statement that it too must no longer be used,” Adam Langley, a security engineer at Google, said last fall as part of the initial announcement.

Weaknesses in the widely used RC4 cipher are well known. Researchers have demonstrated over the years that as faster computers with more processing power have made attacks against the RC4 cipher more practical and feasible than ever. While there aren’t any publicly known feasible attacks against RC4, Microsoft, Mozilla, and Google have already taken steps to remove the cipher from their browsers.

TLS typically tries to negotiate a handshake using a strong cipher, but if the client trying to connect is using a weaker protocol, TLS will fall back to less robust alternatives. Back when browsers still supported RC4, they used the weak cipher when falling back from TLS 1.2/1.1 to TLS 1.0. Browsers now fail the connection entirely. The same will happen for the mail servers next month.

Secure Sockets Layer 3.0, defined in 1996, has been considered obsolete, with organizations being encouraged to transition to the more secure Transport Layer Security (TLS) protocol. Researchers found that the POODLE attack affects all block ciphers in SSL, which means SSLv3 was also affected. According to SSL Pulse, nearly 3 percent of sites are still vulnerable and exploitable to the POODLE attack.

If the prospect of no longer being able to send mail isn’t dire enough to prompt an update, consider that moving from SSL to TLS (preferably TLS 1.2 or later) means also upgrading to the SHA-2 hashing algorithm at the same time. Google will begin blocking sites and applications using SHA-1 certificates as of Jan. 1, 2017, so the TLS transition actually takes care of removing two obsolete technologies at once.