Apple dumps SSL 3.0 for push notifications after POODLE

Apple will stop supporting the vulnerable SSL 3.0 encryption standard for its push notifications after the 'POODLE' flaw was discovered in the ageing protocol earlier this month.

Google researchers recently revealed they had found a hole in SSL 3.0 - dubbed 'POODLE' - which allowed attackers to break the 15-year old protocol's cryptographic security.

SSL 3.0 was until recently supported by nearly all web browsers, and operates as a fallback option when browsers attempt to work around bugs in HTTPS servers. 

But the Google team found that attackers could trigger the use of SSL 3.0 and exploit the newfound vulnerability by causing connection failures and forcing browsers to retry connections to older protocol versions.

Following the revelation, Google, Twitter, Mozilla and content delivery network and domain name server provider CloudFlare quickly announced they would disable SSL 3.0 by default.

Apple also last week issued a fix for POODLE in a bundle of patches for its OS X operating system.

Apple yesterday said it would similarly drop support for SSL 3.0 and move to the newer TLS (transport layer security) encryption standard for its push notifications service - which delivers remote notifications to iOS and OS X devices - from October 29.

The shift will only affect providers that don't yet support TLS, Apple said on its developer site.

"Providers using only SSL 3.0 will need to support TLS as soon as possible to ensure the Apple Push Notification service continues to perform as expected. Providers that support both TLS and SSL 3.0 will not be affected and require no changes."

Apple's push notifications service sends custom alerts and badges from app developers to Apple devices.