Recently a lot of security issues have been uncovered. Poodle was discovered back in September 2014 by the Google security team, this can lead to a Man in the Middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0.
POODLE is an example of a vulnerability that succeeds thanks to a mechanism designed for reducing security for the sake of interoperability.
I am not go into too much details about this vulnerability. if you really want to understand it fully and the ins and outs I suggest you read this article: https://www.us-cert.gov/ncas/alerts/TA14-290A
We must disable the support for SSL V 3.0 and this is what I will show you. How to disable it for various different OSs and different servers, devices and applications.
I would like to stress this is a serious vulnerability and it is strongly recommend you do disable SSL V 3.0.
Let's deal with the easy part.
How to disable SSL V 3.0 support for Internet Explorer.
- Click on "Tools" menu option
- Click on "Internet Options"
- Click on [Advanced] tab
- Scroll the bar on the right, right to the bottom
- Dis-Select "Use SSL 3.0"
- Dis-Select "Use SSL 2.0"
- Select "Use TLS 1.0"
- Select "Use TLS 1.1"
- Select "Use TLS 1.2"
- Click on [OK]
Note After applying this workaround, Internet Explorer will fail to connect to Web servers that only support SSL up to 3.0 and don’t support TLS 1.0, TLS 1.1, and TLS 1.2.
Disable SSL 3.0 and enable TLS 1.0, TLS 1.1, and TLS 1.2 for Internet Explorer in Group Policy
You can disable support for the SSL 3.0 protocol in Internet Explorer via Group Policy by modifying the Turn Off Encryption Support Group Policy Object.
- Open Group Policy Management.
- Select the group policy object to modify, right click and select Edit.
- In the Group Policy Management Editor, browse to the following setting:Computer Configuration -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page -> Turn off encryption support
- Double-click the Turn off Encryption Support setting to edit the setting.
- Click Enabled.
- In the Options window, change the Secure Protocol combinations setting to "Use TLS 1.0, TLS 1.1, and TLS 1.2".
- Note It is important to check consecutive versions. Not selecting consecutive versions (e.g. checking TLS 1.0 and 1.2, but not checking 1.1) could result in connection errors.
- Click OK.
Let's make a bit more difficult for these people who want to take advantage!
Nets post I'll show how to disable for Windows client and server by editing the registry.
by Renato de Oliveira
No comments:
Post a Comment