Lee B Posted November 6, 2014 Report Posted November 6, 2014 FROM PC MAGAZINE Keep Poodle At Bay With Basic Internet Safety Oct 15, 2014 2:47 PM EST By Fahmida Y. Rashid Researchers have uncovered another serious vulnerability in Secure Sockets Layer (SSL) which affects how our information and communications are secured online. The good news is you can take specific steps to block attacks exploiting this flaw. . . . . . Why Do We Still Have SSL 3.0? Most modern servers and applications use TLS 1.1 or 1.2, but SSL 3.0 is still widely used in order to support legacy applications and systems. Internet Explorer 6 is one good example. While IE 6 is not as visible as it used to be, it hung around for quite a long time, so quite a number of servers and applications were built to support SSL 3.0 along with the more secure TLS. Netcraft estimated nearly 97 percent of SSL Web servers are likely to be vulnerable. "You could pretty much kill it in most places today," security researcher Troy Hunt wrote, but that is only part of the problem as there are clients out there which may depend on the ability to fall back to SSL 3.0. We don't know which ones they are, making companies less willing to just pull the plug. For example, there were Twitter reports that MetroTwit, a popular Twitter client for Windows, relied on SSL 3.0 and stopped working after Twitter disabled SSL 3.0 support Tuesday evening (MetroTwit has released a hotfix, by the way, so you should update your client). "It's the uncertainty that keeps these early generation technologies alive," said Hunt. Fix the Browser Problem Use a modern, standards compliant Web browser. Mozilla will disable SSL 3.0 by default in the next version of Firefox, expected Nov. 25, and Google is scrubbing it from Chrome. Safari auto-enables SSL, but Apple has yet to weigh in on its plans for the browser. Microsoft posted an advisory with instructions on disabling SSL 3.0 from Windows desktops and servers. "No need to hate on Microsoft, as Internet Explorer 10 or 11 will do," said Garve Hays, a solutions architect with NetIQ. You can manually turn off SSL 3.0 in IE by un-checking the SSL 3.0 box under the Advanced tabs in the Internet Options menu. Firefox users should go to about.config on the browser, and change the value for security.tls.version.min to 1. They can also download a Mozilla add-on to disable SSL 3.0. Chrome users who want to disable SSL 3.0 can add the command line flag --ssl-version-min=tls1 to the browser. Safari users will have to wait for an update, whenever it comes. Staying off Safari temporarily will reduce the likelihood of a Poodle attack Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.