What to Do about the SSL 3.0 Security Flaw?

Google security team just released detail on a security flaw with SSL 3.0.

What to do?

  • One could disable SSL 3.0 with client web browsers.  For example,

“Firefox, open about.config, search for “security.enable,” and set “security.enable_ssl3” to false.

IE, go to the tools menu, click Internet Options and head to the Advanced tab. Under that look for the Security heading, and make sure that the SSL 3.0 check box is unchecked.”

  • One could disable SSL 3.0 in web servers.  For IIS, go to the registry

HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols

Typically, this key contains the following subkeys:

  • SSL 2.0
  • SSL 3.0
  • TLS 1.0

To disable any of these protocols,

  1. Create a subkey “Server” if it does not exist.
  2. In the Server subkey, create a new DWORD value, with the Name “Enabled” and Data = “00 00 00 00”.

To Test:

https://www.ssllabs.com/ssltest/index.html

Be sure to check “Do not show the results on the boards” as you probably do not want to broadcast the result.

Note:

  • As usual, backup before you do anything you might regret.
  • If you want to get super secure, you may want to consider enabling Forward Secrecy.  “Hasse.de” has a powershell script for it.

Reference:

http://www.zdnet.com/google-reveals-major-flaw-in-outdated-but-widely-used-ssl-protocol-7000034677/

http://support.microsoft.com/kb/187498

http://www.hass.de/content/setup-your-iis-ssl-perfect-forward-secrecy-and-tls-12

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s