Is your website running SSL v3.0?
Earlier this week, Google announced a serious exploit which affects all webmasters and users of SSL v3.0. This security vulnerability is a serious issue because out of Alexa’s top one million domains, 96.9 per cent support SSL v3.0.
The attack, which has been coined POODLE, can take advantage of web browsers’ fall back to SSL v3.0. Google has announced that the solution is to turn V3.0 support off, commenting that in the coming months they will disable SSL 3.0 support completely from their product line:
“Disabling SSL 3.0 support or CBC-mode ciphers with SSL 3.0, is sufficient to mitigate this issue, but presents significant compatibility problems, even today. Therefore our recommended response is to support TLS_FALLBACK_SCSV. This is a mechanism that solves the problems caused by retrying failed connections and thus prevents attackers from inducing browsers to use SSL 3.0. It also prevents downgrades from TLS 1.2 to 1.1 or 1.0 and so may help prevent future attacks.”
So what can you do?
Although browsers will make these updates in the near future, users can disable the use of SSL v 3.0. Those users who want to prevent being exploited through POODLE should disable the use of SSLv3 within your web browser. The below shows how this can be done for each of the most common web browsers:
Google Chrome (please note that this will only protect if you open Google Chrome from the shortcut on your desktop).
- Right click the Google Chrome shortcut on your desktop
- Click properties from the drop-down menu
- On the properties menu, click inside the ‘Target’ box and scroll all the way to the right past the quote (‘))
- Simply enter –ssl-version-min=tls1
- Click OK and continue with administrator permissions
Mozilla advises users that the safest way is to ensure that Firefox is configured to automatically update. Under ‘Preferences / Advanced / Update, and make sure that ‘Automatically install updates’ is checked.
For users who wish not to wait until SSL v3.0 is disabled by default should follow this guide
- Launch internet options from the Start Menu
- Click ‘Advanced’ and uncheck ‘Use SSL v3.0’
- Click OK
We take security vulnerabilities of this kind very seriously and as a matter of course we have disabled SSL v3 protocol support. Customers are advised to configure their web browser to disallow communications over SSL v3.0. Customers should upgrade to their latest browsers editions to continue using www.123-reg.co.uk
Of course, we are always here to advise and help so if you do have a questions regarding this, simply get in touch here.
123-reg has disabled SSL v3.0 on our website.