Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

Question:

Question: How do I disable SSLv3 in Safari (OSX & iOS)

Hi All,


So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.


Any clue on how it can be done?


FWIW:

- Disabling SSLv3 in Firefox:

Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.


- Disabling SSLv3 in Chrome:

Launch Chrome using an AppleScript that contains the following

do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"


- Checking client-side vulnerability:

https://www.poodletest.com/


- Checking server-side vulnerability:

http://www.poodlebleed.com


Cheers,

Alex

Posted on

Reply
Question marked as Helpful

Oct 16, 2014 8:24 PM in response to al2go In response to al2go

Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:


Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)


All of them contain the following:


Secure Transport

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team


It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

There’s more to the conversation

Read all replies

Oct 15, 2014 8:33 AM in response to al2go In response to al2go

Just had a chat with Apple support - obviously disabling sslv3 or selecting an encription protocol is not a feature of iPad or Safari. He advised me to contact my Internet provider on this - which would not really help.

So now I try to make the Chrome Browser secure on the Ipad and for this I have a Dummy question:

How do I start a script on the Ipad? Is there a command line hidden somewhere ?

Any help on this is appreciated!

Oct 15, 2014 8:33 AM

Reply Helpful

Oct 15, 2014 2:12 PM in response to Radbe In response to Radbe

@ahalvor: no luck yet, I think we'll have to wait for a Safari update (or maybe for someone to come up with the magic defaults write command...)


@Radbe: shell access will require for you to jailbreak your iPad and I doubt the iOS Chrome app can handle command line arguments like the desktop versions do - again waiting for updates is probably the way to go. Given the criticality of this vulnerability, it's only a question of hours (I hope) before Apple and Google provide detailed status for their systems / browsers.

Oct 15, 2014 2:12 PM

Reply Helpful

Oct 16, 2014 7:02 AM in response to al2go In response to al2go

In the case of Firefox, I would use their SSL Version Control add-on as there are more settings to change than just the TLS version.

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

Also, I would recommend limiting your version of TLS to 1.2 (security.tls.version.min value of 2) since TLS1.0 is also vulnerable.


Thanks for the testing links, all of my banking sites are still vulnerable, so turning off SSL 3.0 support in your browser is important.

Oct 16, 2014 7:02 AM

Reply Helpful

Oct 16, 2014 8:31 AM in response to ctopher In response to ctopher

Good tip on Firefox extension provided by Mozilla until the release of Firefox 34. Why do you say that TLS 1.0 is also vulnerable? Do you mean to the POODLE attack? ... With the extension set to TLS 1.0, poodletest.com said that I was protected. ... Or did you mean another vulnerability?

Oct 16, 2014 8:31 AM

Reply Helpful

Oct 16, 2014 2:21 PM in response to wurzelgrumpf In response to wurzelgrumpf

@wurzelgrumpf - For Chrome, you can also save the AppleScript as an application (named something like GoogleChromeTLS) and place it alongside the chrome app in your application folder. Then simply launch this new app instead of the regular Chrome. It will do the same thing as the automator solution.


@ctopher - I didn't realize TLS 1.0 also was vulnerable, where can I find more info on this? TLS 1.2 isn't very widespread yet so requiring your browser to accept nothing less might prove incompatible with many websites. It's worth trying though.

Oct 16, 2014 2:21 PM

Reply Helpful
Question marked as Helpful

Oct 16, 2014 8:24 PM in response to al2go In response to al2go

Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:


Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)


All of them contain the following:


Secure Transport

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team


It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

Oct 16, 2014 8:24 PM

Reply Helpful (2)

Oct 20, 2014 1:34 AM in response to al2go In response to al2go

Meanwhile you can try with the next recommendations through the url http://tweaks.com/windows/67027/how-to-protect-ie-chrome-and-firefox-from-the-po odle-ssl-v3-exploit for IE, Firefox and Google Chrome.


Later, I have tested this vulnerability with https://www.poodletest.com/ and now, I am not vulnerable.

Oct 20, 2014 1:34 AM

Reply Helpful

Oct 20, 2014 8:27 AM in response to sermoc In response to sermoc

Those are for Windows users and there is no need to modify any browsers after you apply one of these:


Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:


Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)


Ignore any results from poodletest[dot]com as they are no longer valid for the above versions of OS X.

Oct 20, 2014 8:27 AM

Reply Helpful
User profile for user: al2go

Question: How do I disable SSLv3 in Safari (OSX & iOS)