Disable Obsolete SSL for Secure Browsing

Contents

1. Introduction
2. Steps for Microsoft Internet Explorer
3. Steps for Mozilla Firefox
4. Notes Regarding Google Chrome
5. Testing for the POODLE Vulnerability

Introduction

With SSLv3 and older versions considered obsolete and insecure, and with the announcement of the POODLE SSL vulnerability, it is more important than ever to ensure your browser is configured for maximum security. Current best practices recommend disabling all versions of secure connections using SSL and allowing only TLS protocols.

Steps for Microsoft Internet Explorer

Written for IE 11, but similar to other IE versions

1. Open your Internet Explorer web browser.  Click on the tools icon (looks like a gear) on the menu bar.  Scroll down to the bottom of the tools menu and click the item titled “Internet options”.
   
2. You should now see the Internet Options menu.  There are 7 tabs on this menu: General, Security, Privacy, Content, Connections, Programs, and Advanced. Click on the “Advanced” tab to display the Advanced options list.
   
3. Scroll to the bottom of the Advanced options list.  The 8th option from the bottom is “Use SSL 2.0”, followed by options for SSL 3.0, TLS 1.0, TLS 1.1 and TLS 1.2.  To avoid letting your browser use obsolete protocols, uncheck both Use SSL 2.0 and Use SSL 3.0.  To make sure you support all of the protocols currently considered safe, make sure all 3 Use TLS boxes are checked.  Click the “Apply” and “OK” buttons to return to your browser window.
   

Steps for Mozilla Firefox

Firefox 30 and other contemporary versions

1. Open your Firefox web browser.  Click in the address bar, type about:config and press enter.  Click the button stating “I’ll be careful, I promise!”. (As it mentions, follow the steps beyond this point carefully!)
   
2. In the search box, type security.tls and wait for the list to be filtered, or press enter.
   
3. Double-click security.tls.version.min (make sure you are not clicking on security.tls.version.max!).  In the entry box that opens titled “Enter integer value”, type a 1, then click “OK”.
   

Note: Mozilla has developed a plugin to allow SSLv3 to stay enabled and still minimize the impact of POODLE.  See the Mozilla Security Blog (“Additional Precautions” section) for more details.

Previous versions of Firefox

1. Open your Firefox web browser.  Click on the Tools menu on the menu bar.  Scroll down to the bottom of the Tools menu and click the item titled “Options...”
   
2. The Options menu should now be open.  From the top tabs, click the “Advanced” tab to display the advanced options menu.
   
3. On the Advanced menu select the “Encryption” tab.  Uncheck the box that states “Use SSL 3.0” to disable SSL 3.0.  Ensure the ”Use TLS 1.0” option is checked.  Click the “OK” button to return to your browser window.
   

Notes Regarding Google Chrome

At the time of writing, Google Chrome allows SSLv3 as a secure connection protocol, and does not offer an option to disable it. Google has stated support for SSLv3 will be removed “[i]n the coming months”.

Testing for the POODLE Vulnerability

To test the SSL/TLS capabilities of your browser, there are several websites that offer test tools. One such page is Qualys SSL Labs’ SSL/TLS test. This test will check what versions of SSL and TLS your browser supports and will warn you if SSLv3 is still enabled.