Google security researchers have published details about a major security flaw found in the SSL protocol that is used to encrypt data transferred between your browser and a web server. SSL is typically used in situations where logon credentials are validated or when other confidential information is exchanged (e.g. online banking). The exploit Google discovered works by taking advantage of two vulnerabilities. 1. Manipulate your web browser into using an old version of the SSL protocol. 2. Using a known exploit in the old version to essentially decrypt the encrypted traffic.
SSL version 3.0 is an old protocol that has been replaced by newer versions based on TLS but all of the popular web browsers still support it for compatibility with some websites. Previously this was not an issue as web browsers would automatically use the latest and most secure protocol to create the secure connection. However, now that web browsers can be manipulated to use an older insecure version, the feature designed only for compatibility has become a big problem.
The solution is actually fairly straightforward, in order to prevent browsers from being manipulated into using the old bad version, disable browser support for the old version. Follow the instructions below to improve the security of your web browsers.
Internet Explorer
-
Open Internet Explorer, click on the gear toolbar icon within Internet Explorer and select Internet Options.
-
When Internet Options loads, click on the Advanced tab.
-
Scroll down to the Security section and remove the check next to Use SSL 3.0.
-
Click OK and close Internet Explorer.
-
Open Internet Explorer and verify SSL v3 has been disabled by navigating to the Qualys SSL Client Tester.
Google Chrome
The only way to disable SSL v3 in Chrome is to append a special command line parameter to all of the shortcuts you use to start Chrome.
-
Right click on the Google Chrome shortcut and select Properties. If the shortcut is pinned to your taskbar, right click on it and then right click on the shortcut listed in the jump list right above the "Unpin this program from the taskbar" and click Properties.
-
Append --ssl-version-min=tls1 to the end of the path listed in the Target box.
-
Click OK.
-
Close and restart Chrome and verify SSL v3 has been disabled by navigating to the Qualys SSL Client Tester.
FireFox
-
Open FireFox and navigate to about:config.
-
Click through the warning screen.
-
Search for security.tls.version.min and set the value to 1.
- Close and restart FireFox and verify SSL v3 has been disabled by navigating to the Qualys SSL Client Tester.