Have you updated your browser security settings?

By | October 15, 2014

The attached article contains a great explanation on how the latest disclosed attack on SSL v3, POODLE, works. The POODLE attack was discovered by a team of engineers at Google, and abuses the SSL handshake protocol to allow an attacker to decrypt targeted stored cookies, for example your Google authentication cookie, and thus steal your identity. This attack is nowhere near as critical as Heartbleed, but it is a good reminder that you should keep your browsing habits safe!

The short version of the confusion between SSL and TSL
SSL v3 was introduced in 1995 by Netscape. Do you remember Netscape? That was, in terms of internet development, a very long time ago… and internet security has come a long way since. Most modern security handshakes work via TLS, which has been improved several times since its introduction. TLS was, like SSL v3, also first introduced in 1994 / 1995 by Mozilla, but Mozilla has survived and continued to improve it over the years.

To add to the confusion and myth that SSL makes things secure, there are some interesting naming conventions: TLS v1 has also identified itself as SSL v3.1, due to its similarities and large cross-compatibility with SSL v3. Also, many popular TLS implementations contain SSL in their names, notably OpenSSL, LibreSSL or PolarSSL.

So how do I protect myself?
The solution to the problem should be relatively simple: Disable SSLv3. Most servers support TLS. Any server administrator can do this, but not many have been willing to, as certain browsers (in particular Internet Explorer 6, which is also quite old and insecure!) do not support TLS. All other major browsers do support TLS, and even if server administrators don’t want to turn off SSL support, you can protect yourself by turning this off in your browser, or by upgrading if you are one of those evil surfers using IE6.

You can test whether you are vulnerable with one of these tests:
– Test your server: https://ssltest.com
– Test your browser: https://www.poodletest.com

Some ‘quick fix’ instructions for selected popular browsers:

Firefox will disable SSL v3 starting from version 34, which should be released on November 25. If you’re not an early adopter, you’ll have to wait a while before getting the update – or you can do it yourself. Open up Firefox and go to the URL about:config . Then, find the security.tls.version.min Preference and change its value to 1. All done!

For Chrome, you’ll need to modify the launcher. In Linux, you’ll need to edit the /usr/share/applications/google-chrome.desktop file. Edit all lines starting with Exec= to include –ssl-version-min=tls In Windows, right-click on the shortcut you use to start Chrome and choose Properties. In the exec parameter box, add –ssl-version-min=tls All done!

In Internet Explorer versions higher than 6, choose Settings > Internet Options > Advanced tab > Uncheck the SSLv3 box under Security . All done!

I have not been able to find any solution so far for Safari on OSX.

/via +Kristian Köhntopp and elaborated with information from various other net sources

Attack of the week: POODLE
Believe it or not, there’s a new attack on SSL. Yes, I know you’re thunderstruck. Let’s get a few things out of the way quickly. First, this is not another Heartbleed. It’s bad, but it’s not going to destroy the Internet. Als…

7 thoughts on “Have you updated your browser security settings?

  1. Martin Breuer

    +Sophie Wrobel I found 3 instances (new tab, new instance, incongito) and changed it. I also rebooted and tried to start a complete new instance directly from shell. Nothing changed.
    I haven't cleared cache but I force reloaded the website with all combos/ways I know…

    Reply
  2. Sophie Wrobel

    +Martin Breuer There should be several instances in that file – did you modify all of them, with appropriate spacing around the parameter and not interrupting arguments that should follow all parameters?

    (I'm not on linux now, so I can't verify).

    Reply
  3. Martin Breuer

    I try to secure my chrome browser on linux but adding the parameter changes nothing. I still get the vulnerable result on the poodletest website.
    Any ideas?

    Reply

Leave a Reply

Your email address will not be published.