Microsoft plans to disable Secure Sockets Layer (SSL) 3.0 encryption support in its Azure Storage service next month.
Azure Storage won’t support the SSL 3.0 security protocol starting on Feb. 20, 2015, the company announced this week. If organizations still have browsers using that that protocol after February 20, then users could experience problems connecting to the Azure Storage service, according to the announcement:
Any client/browser that uses HTTPS to connect to Azure Storage and does not utilize TLS 1.0 or higher, which supersedes SSL 3.0, will be prevented from connecting to Azure Storage when SSL 3.0 is disabled. Clients/browsers currently using HTTP to connect to Azure Storage will not be affected.
The SSL 3.0 protocol, which is being replaced by the Transport Layer Security (TLS) protocol, is subject to a man-in-the-middle type of attack called “POODLE,” or “Padding Oracle on Downgraded Legacy Encryption.” It’s an unlikely kind of attack that depends on compelling the use the older SSL 3.0 protocol in order to carry out an attack that could lead to information disclosure. Nonetheless, Microsoft has taken active measures to remove SSL 3.0 support from its various products, including Internet Explorer, Windows Server, Azure services and Office 365 services.