Google just recently revealed a flaw in SSL 3.0 used in HTTPS to secure web connections. The SSL protocol is now 18 years old, and has been superseded by the more secure TLS(Transport Layer Security). However, some browsers still support SSL 3.0 connections, now vulnerable to possible MIM(man-in-the-middle) attacks which could be used to decrypt web traffic using HTTPS connections.Current browsers will likely be upgraded to protect against this SSL flaw, if not already done so. But Google has also recommended that web servers be patched to prevent Poodle, an on the fly attack from manipulating a TLS connection, to fallback to the vulnerable SSL 3.0.Test if your current browser is vulnerable to the SSL 3.0 flaw: SSL/TLS Capabilities of Your BrowserYou can read more about the SSL 3.0 vulnerability from this ZNET article Google reveals major flaw in outdated, but widely-used SSL protocol.Here's how to set your browser to use only TLS for HTTPS connections. You should re-test your browser using the above link after making the changes:For Internet Explorer(IE):Click on the Tool icon, and select "Internet Options".Click on the "Advanced" tab, and scroll down "Settings". Uncheck the option "Use SSL 3.0" and click the "OK" button.For Firefox:Firefox no longer offers the option to disable SSL 3.0 in its settings, but can easily be configured manually:In Firefox, type or copy and paste about:config in the address bar and hit ENTER. Click the "I'll be careful, I promise! button."Type or copy and paste security.tls.version.min in Search:, which should display the above preferences. Note that the default value for "security.tls.version.min" indicates "0", which allows HTTPS SSL 3.0 connection at minimum. You need to change this value to allow only the more secure TLS connections.Double-click directly on the preference "security.tls.version.min". Or, alternatively, right-mouse click on the same line, and from the drop down menu, select "Modify".In the "Enter integer value" popup, type 1 and click the "OK" button. The preference for "security.tls.version.min" value should now indicate 1, which instructs Firefox to only allow a TLS HTTPS connections. Finally, close and re-start Firefox.For Chrome:At present, you can't configure Chrome to disable SSL 3.0 in settings. But can force Chrome to use TLS using a shortcut.Right-mouse click on Chrome's desktop shortcut, and select "Properties".In the "Shortcut" tab, under "Target:", type or copy and paste to add --ssl-version-min=tls1 leaving a "space" after Chrome's install location such as:"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --ssl-version-min=tls1Click the "OK" button. Now when you start Chrome using your desktop shortcut, it should force it to use only HTTPS TLS connections.The possible downside is that some websites with outdated security may not connect. However, allowing HTTPS connections to sites still using SSL 3.0 could compromise browser security on more secure TLS websites, which have not yet been patched for exploits such as Poodle?

I've updated the post to include IE and Chrome browsers, and not just for Firefox. I believe Apple issued a patch yesterday for Safari.

Just did IE and Firefox. Thanks!

I also just did IE and Firefox. Thank you!Is this necessary if you run Ubuntu? If so, how is it done?Barney

1492

Moderator

Oct 18, 2014

Protecting Your Browser Against The HTTPS SSL Flaw

Google just recently revealed a flaw in SSL 3.0 used in HTTPS to secure web connections. The SSL protocol is now 18 years old, and has been superseded by the more secure TLS(Transport Layer Security). However, some browsers still support SSL 3.0 connections, now vulnerable to possible MIM(man-in-the-middle) attacks which could be used to decrypt web traffic using HTTPS connections.

Current browsers will likely be upgraded to protect against this SSL flaw, if not already done so. But Google has also recommended that web servers be patched to prevent Poodle, an on the fly attack from manipulating a TLS connection, to fallback to the vulnerable SSL 3.0.

Test if your current browser is vulnerable to the SSL 3.0 flaw: SSL/TLS Capabilities of Your Browser

You can read more about the SSL 3.0 vulnerability from this ZNET article Google reveals major flaw in outdated, but widely-used SSL protocol.

Here's how to set your browser to use only TLS for HTTPS connections. You should re-test your browser using the above link after making the changes:

For Internet Explorer(IE):

For Firefox:

Firefox no longer offers the option to disable SSL 3.0 in its settings, but can easily be configured manually:

about:config

security.tls.version.min

For Chrome:

At present, you can't configure Chrome to disable SSL 3.0 in settings. But can force Chrome to use TLS using a shortcut.

--ssl-version-min=tls1

The possible downside is that some websites with outdated security may not connect. However, allowing HTTPS connections to sites still using SSL 3.0 could compromise browser security on more secure TLS websites, which have not yet been patched for exploits such as Poodle?