Outdated SSL implementations are the computing equivalent of spoiled milk
By now you’ve probably heard the exciting news that TLS 1.3 has been released! Oh, you hadn’t? I guess it’s easy to forget that outside of the handful of people who design, sell, market or deploy TLS on a large scale—nobody cares. That may include you. In fact, you’re probably only here because something broke, or you got an error or you’re my boss and you’re checking to make sure I haven’t been sowing insurrection on the internet again.
Well listen up, as we continue to refine the TLS protocol and release new versions it’s important that you occasionally go through your implementations and disable old and outmoded versions. Consider it like digital spring cleaning.
Hypothetically, say I didn’t disable old SSL/TLS versions…
You like to live dangerously, do ya? If the internet’s Do-no-Evil overlord, Google, finds out that your server still supports TLS 1.0 it will dispatch its agents to literally drag you out of your bed and summarily execute you in the street. And that’s just for TLS 1.0, heaven forbid your server still supports SSL 3.0, Google may end your entire line, Game of Thrones style—which is usually gory. [Editor’s Note: Carl, this is an article about disabling BROWSER support…]
Fortunately, you’re not dealing with this issue server-side. That’s a different article. You’re just worried about how to handle things from the browser side. Great question!
Why do I need to disable browser support for SSL 3.0?
POODLES! No seriously, there’s a threat called POODLE, Padding Oracle On Downgraded Legacy Encryption, which granted POODLE is the acronym, but nothing makes a legitimate threat sound less important than naming it after a bourgeois French dog with a bad haircut.
Anyway, POODLE is serious. It allows attackers to extract data from a secure connection by forcing it to downgrade to outdated protocols. To avoid this you need to disable support for SSL entirely (and TLS 1.0, too).
So here’s how to disable browser support for SSL 3.0…
How to disable SSL V3 in Internet Explorer
- Open Internet Explorer, click the Gear, the select Internet Options
- Select the Advanced Tab, scroll down to the Security section
- In the Security section, locate the Use SSL and Use TLS options, uncheck SSL 2.0, 3.0 and TLS 1.1
- Click apply, then OK
How to disable SSL V3 in Firefox
- Open Firefox, in the address bar type “about:config”
- In the search field, type “TLS”
- Double-click on security.tls.version.min
- Type 1.1 in the Enter Integer Value window
- Click OK
How to disable SSL V3 in Chrome
Google disabled support for SSL 3.0 after version 38. And rather than give you years old instructions on how to disable SSL 3.0 in version 38 or earlier, I’m going to give you a piece of invaluable advice:
UPDATE YOUR #$%^&[email protected] BROWSER!
Stay cautious, my friends…