POODLE attack and Firefox (and Chrome)

[ubuysa]

I'm sure everyone has read of the SSLv3 POODLE vulnerability. I'm a Firefox user and Mozilla have promised to disable SSLv3 in the next Firefox update, but that's not until mid-November. So I've been looking for the about:config hack to turn it off now and I've just found it.

If you want to disable SSLv3 on Firefox now type about:config in the URL bar and click the "I'll be careful" message box.

Search for security.tls.version.min and double click it. Change the value from 0 to 1 to force TLS as the minimum. To test your browser visit https://zmap.io/sslv3/, they will tell you whether your browser now supports SSLv3 (site requires Javascript).

I don't run Chrome but I understand that adding --ssl-version-min=tls1 to the end of the shortcut target field will enforce TLS in Chrome. Note: there must be a space between the existing program name and this text, and there is a space between the tls and the 1.

Apologies if this is common knowledge, I didn't know it until this morning. POODLE is a minor risk for most of us but it's worth disabling SSLv3 I think.

 

[steaky360]

I must admit I had not heard about this and I honestly thought you were having a laugh at first (POODLE!!!). Good info though! Thanks for sharing!

 

[Bsrz]

so if my understanding is right, someone can force my browser to downgrade to an earlier version making it a lot less secure?

 

[ubuysa]

so if my understanding is right, someone can force my browser to downgrade to an earlier version making it a lot less secure?

It's a feature. Browsers attempt to negotiate the most secure connection but are designed to fall-back to less secure connections if the more secure connections cannot be established. SSLv3 is now known to have a vulnerability that could be exploited, so it's wise to disable SSLv3 completely in your browsers. Google "Poodle SSL vulnerability".

 

[DeadEyeDuk]

But realistically this is far too complicated for most users to understand, so does that mean all of a sudden millions of people are vulnerable? Funsies!

(Also, someone really needs to come up with some other names, because that one is just ridiculous )

 

[Wozza63]

The best way to stay secure on the internet is not to go changing settings that may cause issues and not to have an anti-virus. It's to not be stupid! Don't visit websites you don't know and trust and if you must visit a new website (say for researching purposes) check the websites legitimacy on Google

 

[ubuysa]

The best way to stay secure on the internet is not to go changing settings that may cause issues and not to have an anti-virus. It's to not be stupid! Don't visit websites you don't know and trust and if you must visit a new website (say for researching purposes) check the websites legitimacy on Google

Whilst that's good advice it wouldn't help against this particular vulnerability. A large number of perfectly legitimate websites still use SSLv3 for secure connections, including, amazingly, Citibank. So if you connect to one of these legitimate sites you will use SSLv3 (unless you disable it in your browser - in which case you won't be able to connect). Only visiting trusted websites also doesn't protect you from a "man-in-the-middle" attack and having no anti-virus leaves you open to the injection of malware by this type of attack.

You are absolutely right that most problems can be avoided by being careful what sites you visit and what you download. A sandbox (like Sanboxie or the sandbox in Comodo Internet Security which I use) can prevent you being infected by any malware getting in through the browser (by running the browser inside the sandbox). A good strong firewall, good anti-virus, and real-time defence software (or a sandbox) are very important tools to stay safe online.