Jump to content


Photo

SSL 3.0 obsolete ...


  • Please log in to reply
2 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 October 2014 - 10:24 AM

FYI...

- http://windowssecret...poodle-attacks/
Oct 23, 2014 - "The following changes force your browser to not use SSL 3.0. Here’s what to adjust in the top three browsers...

 

Chrome: In Google’s browser, edit the shortcut that launches the browser, adding a flag to the end of the Shortcut path. Start by selecting the icon normally used to launch Chrome. Right-click the icon and select Properties. Under the Shortcut tab, find the box labeled “Target” and insert –ssl-version-min=tls1 immediately after chrome.exe” (see Figure 1). It should look something like this (note the space between .exe” and –ssl-):
“C:\Program Files (x86)\Google\Chrome\Application\chrome.exe” –ssl-version-min=tls1
Figure 1: http://windowssecret...3-TS-Chrome.png

 

... in the Oct. 14 Mozilla blog post*, Firefox 34, due to be released on Nov. 25, will disable SSL 3.0 support. In the meantime, Mozilla recommends installing the add-on (download site**), “SSL Version Control 0.2? (see Figure 2), which will let you control SSL support within the browser. (Some websites have recommended adjusting Firefox settings in the configuration file, but Mozilla recommends using the add-on instead.)..."
* https://blog.mozilla...end-of-ssl-3-0/

** https://addons.mozil...ersion-control/

Figure 2: http://windowssecret...41023-TS-FF.png

 

... Internet Explorer: In IE, click the gear (settings) icon, open Internet options, and then select the Advanced tab. Scroll down the Settings list to the Security category, and then look for Use SSL 3.0. Uncheck the box (see Figure 3), click OK, and then relaunch IE... Microsoft released an initial security advisory on this topic; expect to see additional guidance in the near future...

Figure 3: http://windowssecret...41023-TS-IE.png

 

... How to test your browser’s TLS/SSL protection:
Several websites test whether your currently open browser supports SSL 3.0. For a simple test, Poodletest.com displays a poodle dog if your browser still supports SSL 3.0, and a Springfield terrier if it doesn’t. On the other hand, Qualys SSL Labs (site***) provides a more detailed analysis of the SSL protocols your browser supports.
As noted above, some business sites such as online -banking- might still need SSL 3.0. Again, I recommend leaving SSL 3.0 support on -one- browser; it’ll be faster and safer than repeatedly adjusting browser settings. If you’re running a Web server or small-business server, you should -disable- SSL 3.0 support to better protect connected workstations and Internet-based phones...  there’s a silver lining to this latest security mess — it should now force everyone on the Internet to finally abandon a dated, insecure protocol."
*** https://www.ssllabs....ewMyClient.html
"Your user agent is not vulnerable..." < What you want to see after the new Firefox extention is installed.
___

- https://web.nvd.nist...d=CVE-2014-3513 - 7.1 (HIGH)
Last revised: 10/22/2014
- https://web.nvd.nist...d=CVE-2014-3567 - 7.1 (HIGH)
Last revised: 10/31/2014
- https://web.nvd.nist...d=CVE-2014-3568 - 4.3
Last revised: 10/31/2014
 

:ph34r: :ph34r:


Edited by AplusWebMaster, 03 November 2014 - 01:48 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 Dragonslore

Dragonslore

    Advanced Member

  • Helper Trainee
  • PipPipPip
  • 230 posts

Posted 24 October 2014 - 08:37 AM

Don't forget to disable SSL 3.0 in Java

 

Control Panel > select Java Applet, wait for it to open > Select the Advanced tab

Scroll down to "Advanced Security Settings" and Uncheck "Use SSL 3.0"




- Excuse the Writing, I've Got a Dyslexic Keyboard

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 October 2014 - 09:08 PM

FYI...

Chrome 40 to terminate use of SSL ...
- http://www.theregist...ts_down_poodle/
31 Oct 2014 - "... Update 40* will remove SSLv3 and the hard-to-exploit cookie-stealing Padding Oracle on Downgraded Legacy Encryption (POODLE) attack. Cupertino followed -Redmond- in its browser POODLE put-down after a single click FixIt SSLv3 disabler was issued for Internet Explorer** ahead of removal in a few months. Google security engineer Adam Langley wrote in an update that some buggy servers may stop working as a result... -Chrome- 39 will show a yellow flag over the SSL lock icon, the protocol design flaw that allowed hackers to hijack victims' online accounts and which prompted tech companies to dump SSLv3 in upcoming releases such as -Mozilla's- Firefox 34***..."
* https://groups.googl...dev/Vnhy9aKM_l4

** https://support.micr...9008#FixItForMe

*** https://blog.mozilla...end-of-ssl-3-0/
 

:ph34r: :ph34r: :ph34r:


.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button