POODLE – some tips for turning off SSL 3.0 in your browser

The cutely-named POODLE attack can allow a crook who is eavesdropping on your network to read even your HTTPS-encrypted traffic.

To do this, he needs to manipulate the packets you exchange while you are establishing an HTTPS connection.

Very casually speaking, he may be able to trick each end of the connection into thinking that the other end doesn’t support the latest and safest HTTPS protocols and thus to downgrade, or fall back, to an old HTTPS protocol called SSL 3.0.

Many browsers and servers still support SSL 3.0, even if they hardly ever use it, just in case it’s ever needed for legacy reasons.

Indeed, POODLE stands for Padding Oracle On Downgraded Legacy Encryption.

The problem is that SSL 3.0 contains a security flaw that may allow a crook to extract data, one byte at a time, from your encrypted sessions

That doesn’t sound like much, does it?

But if the bytes he steals are a login session cookie, that’s probably all he needs to clone your session and get access a site such a social network under your name.

The thing is, you simply don’t need SSL 3.0: it’s as old as XP, and about as safe.

So, tell your browser not to support SSL 3.0 at all.

That way, even if you do suffer some sort of Downgraded Legacy Encryption attack, the attacker will never get your browser to fall back as far as SSL 3.0.

And no SSL 3.0 means no POODLE!

Internet Explorer

Go to the Tools option (click on the cog icon) and choose Internet options.

Go to the Advanced tab, where you will find a section entitled Security containing the configuration option you need.

Turn Use SSL 3.0 off.

Firefox

In the address bar, put in the special URL about:config to get access to the low-level option settings page of the browser.

(If you haven’t used about:config before, Firefox will show you a warning and urge you to be careful, so please avoid changing anything except what we show you below.)

In the Search bar at the top, type tls.version to thin out the list of options presented to you.

Double-click on security.tls.version.min, which will probably be set to zero, and change it to 1.

Chrome

If you start Chrome by running it with the command line option:

 
   --ssl-version-min=tls1

then you will prevent Chrome from using SSL 3.0 at all.

(Unfortunately, there isn’t a way to turn off SSL 3.0 once Chrome is running.)

To add this command line option to Chrome, exit from the browser, right-click on the shortcut you use to start it, and choose the Properties option.

In the Shortcut tab, click into the field labelled Target and add the abovementioned option to the command that is used when you click the shortcut.

Be sure to leave a space between the quote mark at the end of the Chrome executable name and the start of the command line option.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s