Google security team just released detail on a security flaw with SSL 3.0.
What to do?
- One could disable SSL 3.0 with client web browsers. For example,
“Firefox, open about.config, search for “security.enable,” and set “security.enable_ssl3” to false.
IE, go to the tools menu, click Internet Options and head to the Advanced tab. Under that look for the Security heading, and make sure that the SSL 3.0 check box is unchecked.”
- One could disable SSL 3.0 in web servers. For IIS, go to the registry
Typically, this key contains the following subkeys:
- SSL 2.0
- SSL 3.0
- TLS 1.0
To disable any of these protocols,
- Create a subkey “Server” if it does not exist.
- In the Server subkey, create a new DWORD value, with the Name “Enabled” and Data = “00 00 00 00”.
Be sure to check “Do not show the results on the boards” as you probably do not want to broadcast the result.
- As usual, backup before you do anything you might regret.
- If you want to get super secure, you may want to consider enabling Forward Secrecy. “Hasse.de” has a powershell script for it.