Google on Monday announced that Gmail IMAP/POP mail clients will no longer offer support for SSLv3 and RC4 connections after June 16, 2016.
The announcement follows last month’s reveal that Gmail SMTP will kill SSLv3 and RC4 support on June 16, 2016. However, the change will be rolled out gradually for Gmail IMAP/POP and it could take for as long as 30 days for some users to be fully restricted from accessing Gmail via connections that still rely on SSLv3 or RC4.
Starting with last year, the company has been working on deprecating the two protocols from its products, mainly because of their obsolete status. SSLv3, which has been defined in 1996, was deemed insecure in 2014, because of the POODLE attack that affects all block ciphers in SSL, and which impacts TLS too, researchers believe. RC4, which has been around since 1987, is still widely used in TLS connections, but attacks against it are becoming more practical and feasible than ever.
According to Google, all those relying on Gmail IMAP/POP should steer clear of the two security protocols as soon as possible, which would ensure that they won’t experience disruption. Most email clients already favor modern TLS connections over outdated ones, meaning that most users out there won’t be impacted by the change, Google says.
The effect of the newly announced modification is that, after June 16, IMAP and POP clients using the outdated SSLv3 or RC4 protocols will gradually no longer be able to connect with Google’s mail servers. On the long run, Google is planning on deprecating SSLv3 and RC4 across all of its products. The company encourages admins to proactively update to TLS clients “as a best practice.”
Google says that most Google Apps customers have already stopped using IMAP or POP clients that connect to mail servers using SSLv3 and RC4. Admins with mail clients that only support SSLv3 and RC4 are encouraged to update them, because users may see connection errors when attempting to connect to Gmail from mail clients still using the two standards.
Earlier this year, researchers revealed another vulnerability that affects SSL and TLS services, including HTTPS, namely DROWN. Although only 5% of the affected cloud services patched the flaw within the first week after it was disclosed, DROWN wasn’t seen as a highly-impactful issue, mainly because its exploitability is non-trivial or impossible.
RC4, which became highly popular mainly because of its simplicity, as F5 Networks evangelist David Holmes noted in a SecurityWeek column in November, is being deprecated by other tech companies as well, including Mozilla’s Firefox browser.