Apple stops using unsafe SSL 3.0 for push notifications

Apple is ending support for ssl 3.0 for push notifications, the outdated version of ssl that Google researchers recently found a vulnerability in. Twitter also recently announced that it is phasing out support for SSL 3.0.

App developers who send push notifications to the Apple servers must therefore ensure that those servers support tls. App developers who do not make their servers suitable will no longer be able to send push notifications to iOS and OS X devices from October 29, Apple warns.

Developers who want to send push notifications to iOS users can’t do that directly: developers send their messages to an Apple server, which in turn pushes it to a user’s phone, tablet or PC. It concerns the notifications that users see in the lockscreen and notification center.

Apple only explicitly states that the connection between the app developer’s server and the Apple server no longer supports ssl 3.0; it is unknown about the connection between the user and the Apple notification server. It is likely that that connection will no longer have support for ssl 3.0.

Last week, Google researchers found a serious vulnerability in SSL 3.0. For example, an attacker who can intercept someone’s traffic can intercept cookies sent over https. SSL 3.0 is very outdated, but is often still supported for legacy reasons. In the meantime, web browsers are in the process of phasing out support.

Twitter also recently removed support for SSL 3.0, which is especially problematic for users of old browsers such as Internet Explorer 6. A University of Michigan survey of the largest websites, according to Alexa, showed that on October 12, 96.9 percent of which websites had support for ssl 3.0. That’s probably less now; unknown how much.