POODLE-bug – what can you do?

      Comments Off on POODLE-bug – what can you do?
Right now a bug in SSL poses a risk for users sending information over a supposedly secure connection. I won’t describe the bug in detail, but the short version is that it allows an attacker to force a site-visitor back to the insecure SSL 3.0 protocol. Combine this with a man-in-middle-attack (MiTM) and you can guess where this is going ;)

This can be fixed easily by server-admins. All they have to do is disable the SSL 3.0 protocol on their site. For those of you that don’t want to wait for that, this is how you disable SSL 3.0 in your browser, rendering the attack useless:

Internet Explorer:

If you use Internet Explorer (IE) 7 or higher you can disable the usage of SSLv3.0 by going to the Internet Options. If you select Advanced you can select what versions of SSL or TLS you wish to use. Disable the usage of SSLv3.0 and SSLv2.0 there and you’re done.

Mozilla Firefox:

This problem is solved in Firefox version 34. Unfortunately, this isn’t released at this time yet. To fix this issue you can do two things: you can either install a add-on that disables old SSL versions for you. If you don’t want that you can also disable this manually. Go to the page about:config and locate the variable security.tls.version.min. This holds the minimal required SSL version accepted by your browser. Set this to 1 to disabel the use of SSLv2.0 and SSLv3.0.

Google Chrome

This one is a bit trickier. Currently a bug in Chrome won’t allow you to directly set this in the browser itself. Luckily you can disable this at the commandline. In the shortcut to your Chrome add the following as command line flag: –ssl-version-min=tls1

Thats it! now you should be relatively safe again. If you wish, you can test your browser settings at the following page: https://www.poodletest.com/