How do I disable SSLv3 in Safari (OSX & iOS)

Hi Alex,

Tried doing the shell scripting option for Chrome and it still comes up as Vulnerable when testing. Is that expected?

OSX -10.9.5

Chrome - v38.0.2125.104

Thanks.

Jim

Ahhh Yes, good olde cache refresh. That did the trick.

Thanks!

Jim

any luck on the Safari disable?

Just had a chat with Apple support - obviously disabling sslv3 or selecting an encription protocol is not a feature of iPad or Safari. He advised me to contact my Internet provider on this - which would not really help.

So now I try to make the Chrome Browser secure on the Ipad and for this I have a Dummy question:

How do I start a script on the Ipad? Is there a command line hidden somewhere ?

Any help on this is appreciated!

Hi all,

particularly for Google Chrome, here's a super automator app instruction as Chrome needs to be told to disable SSL3 on each launch:

I hope this helps:

https://zmap.io/sslv3/browsers.html#chrome-osx

In the case of Firefox, I would use their SSL Version Control add-on as there are more settings to change than just the TLS version.

https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/

Also, I would recommend limiting your version of TLS to 1.2 (security.tls.version.min value of 2) since TLS1.0 is also vulnerable.

Thanks for the testing links, all of my banking sites are still vulnerable, so turning off SSL 3.0 support in your browser is important.

Good tip on Firefox extension provided by Mozilla until the release of Firefox 34. Why do you say that TLS 1.0 is also vulnerable? Do you mean to the POODLE attack? ... With the extension set to TLS 1.0, poodletest.com said that I was protected. ... Or did you mean another vulnerability?

Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:

Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)

All of them contain the following:

Secure Transport

Impact: An attacker may be able to decrypt data protected by SSL

Description: There are known attacks on the confidentiality of SSL

3.0 when a cipher suite uses a block cipher in CBC mode. An attacker

could force the use of SSL 3.0, even when the server would support a

better TLS version, by blocking TLS 1.0 and higher connection

attempts. This issue was addressed by disabling CBC cipher suites

when TLS connection attempts fail.

CVE-ID

CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of

Google Security Team

It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

al2go wrote:

I hope they fix iOS soon as well.

Check back on Monday when iOS 8.1 is released. I don't have any inside info on it, but that would be the next opportunity.

Meanwhile you can try with the next recommendations through the url http://tweaks.com/windows/67027/how-to-protect-ie-chrome-and-firefox-from-the-po odle-ssl-v3-exploit for IE, Firefox and Google Chrome.

Later, I have tested this vulnerability with https://www.poodletest.com/ and now, I am not vulnerable.

Those are for Windows users and there is no need to modify any browsers after you apply one of these:

Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:

Yosemite 10.10

Security Update 2014-005 Mavericks

Security Update 2014-005 Mountain Lion

as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)

Ignore any results from poodletest[dot]com as they are no longer valid for the above versions of OS X.