Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forย 
Search instead forย 
Did you mean:ย 

Protecting Your Browser Against The HTTPS SSL Flaw

1492
Moderator
Moderator

โ€ŽOct-18-2014 01:53 PM

Google just recently revealed a flaw in SSL 3.0 used in HTTPS to secure web connections. The SSL protocol is now 18 years old, and has been superseded by the more secure TLS(Transport Layer Security). However, some browsers still support SSL 3.0 connections, now vulnerable to possible MIM(man-in-the-middle) attacks which could be used to decrypt web traffic using HTTPS connections.

Current browsers will likely be upgraded to protect against this SSL flaw, if not already done so. But Google has also recommended that web servers be patched to prevent Poodle, an on the fly attack from manipulating a TLS connection, to fallback to the vulnerable SSL 3.0.





You can read more about the SSL 3.0 vulnerability from this ZNET article Google reveals major flaw in outdated, but widely-used SSL protocol.

Here's how to set your browser to use only TLS for HTTPS connections. You should re-test your browser using the above link after making the changes:



For Internet Explorer(IE):




    Click on the Tool icon, and select "Internet Options".





    Click on the "Advanced" tab, and scroll down "Settings". Uncheck the option "Use SSL 3.0" and click the "OK" button.




For Firefox:

Firefox no longer offers the option to disable SSL 3.0 in its settings, but can easily be configured manually:






    In Firefox, type or copy and paste about:config in the address bar and hit ENTER. Click the "I'll be careful, I promise! button."





    Type or copy and paste security.tls.version.min in Search:, which should display the above preferences. Note that the default value for "security.tls.version.min" indicates "0", which allows HTTPS SSL 3.0 connection at minimum. You need to change this value to allow only the more secure TLS connections.





    Double-click directly on the preference "security.tls.version.min". Or, alternatively, right-mouse click on the same line, and from the drop down menu, select "Modify".






    In the "Enter integer value" popup, type 1 and click the "OK" button. The preference for "security.tls.version.min" value should now indicate 1, which instructs Firefox to only allow a TLS HTTPS connections. Finally, close and re-start Firefox.




For Chrome:

At present, you can't configure Chrome to disable SSL 3.0 in settings. But can force Chrome to use TLS using a shortcut.




    Right-mouse click on Chrome's desktop shortcut, and select "Properties".





    In the "Shortcut" tab, under "Target:", type or copy and paste to add --ssl-version-min=tls1 leaving a "space" after Chrome's install location such as:

      "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1


    Click the "OK" button. Now when you start Chrome using your desktop shortcut, it should force it to use only HTTPS TLS connections.




The possible downside is that some websites with outdated security may not connect. However, allowing HTTPS connections to sites still using SSL 3.0 could compromise browser security on more secure TLS websites, which have not yet been patched for exploits such as Poodle?




0 Likes
31 REPLIES 31

1492
Moderator
Moderator

โ€ŽOct-25-2014 06:15 PM

Android Users? Make sure to disable SSL 3 in Firefox. One of the few mobile browsers that allows the user to do so.

I just used the same method posted, by going into about:config in Firefox Browser for Android. But you can also do so by using the extension mentioned by Bill.Satellite.
0 Likes

1492
Moderator
Moderator

โ€ŽOct-25-2014 06:08 PM

wintersun wrote:


Evidently what was not noticed was that the announcements regarding the vulnerability also stated that SSL 3.0 was used by 0.3% of Firefox HTTPS connections. The reason why it is such a low number is that most people have newer computers running newer versions of Firefox and IE.

The real issue was that the current version of Firefox, and most other major browsers, still supported SSL 3 connections. This made it vulnerable to Poodle type attacks on malicious websites, which attempted to force the browser to fallback to SSL 3. Even though, it currently supported the stronger TLS.

So the 0.3% of Firefox connections using SSL 3 is moot as this likely refers to legit usage. But, by still allowing Firefox, and other browsers to fallback to SSL 3 as an option, left it vulnerable to attack by hacker websites. So the need to disable SSL 3 support regardless as a precaution.

The SSL 3 connection option can be disabled either on the server or client side, or other measures can be implemented on the network side to mitigate the vulnerability issues, such as in an enterprise environment.
0 Likes

wintersun
Explorer II
Explorer II

โ€ŽOct-25-2014 04:14 PM

We have an online e-store and payments are processed by Cybersource for Bank of America. Because of the SSL 3.0 vulnerability they decided to disable support for this connection at their server which processes millions of transactions every day.

There have been no problems from people saying they could not get transactions completed or error messages on the users' browsers.

Evidently what was not noticed was that the announcements regarding the vulnerability also stated that SSL 3.0 was used by 0.3% of Firefox HTTPS connections. The reason why it is such a low number is that most people have newer computers running newer versions of Firefox and IE.

Chrome is the most vulnerable by far of any of the browsers. I tried it for a week and had so many problems with malware that I removed it from all my computers.
0 Likes

BarneyS
Explorer III
Explorer III

โ€ŽOct-23-2014 06:59 AM

Bill.Satellite wrote:
My up-to-date Firefox browser showed that I was vulnerable so I am not sure you have that information correct. The add-on I mentioned solved that problem.

Thank you Bill for providing that add-on link. It fixed my Firefox issue under Ubuntu. ๐Ÿ™‚
Barney
2004 Sunnybrook Titan 30FKS TT
Hensley "Arrow" 1400# hitch (Sold)
Not towing now.
Former tow vehicles were 2016 Ram 2500 CTD, 2002 Ford F250, 7.3 PSD, 1997 Ram 2500 5.9 gas engine
0 Likes

bwanshoom
Explorer
Explorer

โ€ŽOct-23-2014 06:30 AM

bcsdguy wrote:
1492 wrote:
All of my browser's indicated they were configured to accept an SSL 3.0 connection including IE 11, Firefox 33, and Chrome 38 which makes them potentially vulnerable. They're now configured to use only TLS for HTTPS connections.


What about chromebooks? Are they in need of reconfiguration?

Right from the original post:
2010 Cougar 322 QBS
2008 Chevy Silverado 2500HD LMM CC/SB 4x4 LTZ
Pullrite SuperGlide 18K
0 Likes

bcsdguy
Explorer
Explorer

โ€ŽOct-23-2014 05:53 AM

1492 wrote:
All of my browser's indicated they were configured to accept an SSL 3.0 connection including IE 11, Firefox 33, and Chrome 38 which makes them potentially vulnerable. They're now configured to use only TLS for HTTPS connections.


What about chromebooks? Are they in need of reconfiguration?
No person is completely worthless ... one can always serve as a bad example.
0 Likes

1492
Moderator
Moderator

โ€ŽOct-22-2014 09:34 PM

All of my browser's indicated they were configured to accept an SSL 3.0 connection including IE 11, Firefox 33, and Chrome 38 which makes them potentially vulnerable. They're now configured to use only TLS for HTTPS connections.
0 Likes

Bill_Satellite
Explorer II
Explorer II

โ€ŽOct-22-2014 06:05 PM

My up-to-date Firefox browser showed that I was vulnerable so I am not sure you have that information correct. The add-on I mentioned solved that problem.
What I post is my 2 cents and nothing more. Please don't read anything into my post that's not there. If you disagree, that's OK.
Can't we all just get along?
0 Likes

wintersun
Explorer II
Explorer II

โ€ŽOct-22-2014 04:13 PM

It applies to users of Internet Explorer version 6 which was introduced in 2001. I doubt anyone on this forum has a 13 year old computer.
0 Likes

1492
Moderator
Moderator

โ€ŽOct-21-2014 10:40 AM

Looks as if the Dometic site supports TLS, but only the outdated 1.0. Apparently, they also still support SSL 3 and SSL 2. :E
0 Likes

bwanshoom
Explorer
Explorer

โ€ŽOct-21-2014 08:37 AM

dometic.com does *very* poorly on the Qualsys test. While they support TLS 1.0 (and nothing higher, which is pathetic) they also support SSL 2.0. This indicates they either don't take security seriously or they don't know what they're doing.
2010 Cougar 322 QBS
2008 Chevy Silverado 2500HD LMM CC/SB 4x4 LTZ
Pullrite SuperGlide 18K
0 Likes

Chris_Bryant
Explorer
Explorer

โ€ŽOct-21-2014 08:35 AM

1492 wrote:
The Dometic public facing site appears fine. I wonder if it was just a handshake issue? You can run a server test on that site too see what TLS/SSL is supported here.


It gets an "F" ๐Ÿ™‚
https://www.ssllabs.com/ssltest/analyze.html?d=edometic.com

There really isn't anything that I do that requires encryption there, but still...
-- Chris Bryant
0 Likes

1492
Moderator
Moderator

โ€ŽOct-21-2014 08:13 AM

The Dometic public facing site appears fine. I wonder if it was just a handshake issue? You can run a server test on that site too see what TLS/SSL is supported here.
0 Likes

Chris_Bryant
Explorer
Explorer

โ€ŽOct-21-2014 06:38 AM

1492 wrote:

The possible downside is that some websites with outdated security may not connect. However, allowing HTTPS connections to sites still using SSL 3.0 could compromise browser security on more secure TLS websites, which have not yet been patched for exploits such as Poodle?


Just ran in to that on the Dometic B2B ecomm site- cannot connect- gives
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
-- Chris Bryant
0 Likes
  • Facebook
  • Twitter
  • YouTube
  • Instagram
  • Pinterest