How do I disable SSLv3 in Safari (OSX & iOS)

Your count of 2:1 is wrong.

WHAT?! Ive nevur ben rong n meye lief!!!

Seriously, until Apple (or some one else) makes it clear that Safari is immune, I suppose the only safe surfing for Mac users is Firefox? At least for any site that still uses SSL3. I have not yet heard from my credit union as to whether Safari will be acceptable/usable or not, when they cease using SSL3. I assume Safari will simply use the newer technique, TSL, I think. If tat site doesn't use SSLx, certainly Safari won't either.

s'ok, aaways a fiust taaime fo everthang :-) .

You are ight. Apple need to lose some money using their own vulnerable safari before they fix this though

xairbusdriver wrote:

Seriously, until Apple (or some one else) makes it clear that Safari is immune, I suppose the only safe surfing for Mac users is Firefox?

Apple has not retracted anything from their previous statement on this in About Security Update 2014-005 and the 10.10.1 Update announcements. I realize that others have stated this is not true, as I said earlier in this discussion, when I called those statements to the attention of Apple Product Security they informed me on 12/19/2014 "The Safari behavior you describe is as intended."

I assume Safari will simply use the newer technique, TSL, I think.

It's TLS 1.2 and if you check the Qualys SSL web site again, in the top box you will see that it does use it and has for many years now.

You can lose money/happiness/both if Safari & a website decide to use SSLv3.

Long Wu Yuan wrote:

You can lose money/happiness/both if Safari & a website decide to use SSLv3.

Perhaps, but unless you have proof that that can be made to happen on a fully patched OS X 10.8.5 or above, I'll take Apple's word that it cannot happen.

My patched laptop Safari ;

I can connect to test using sslv3 :

$ openssl s_client -connect www.poodletest.com:443 -ssl3

CONNECTED(00000003)

depth=1 /C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA

verify error:num=20:unable to get local issuer certificate

verify return:0

---

Certificate chain

0 s:/C=US/ST=Florida/L=Jacksonville/O=DShield Inc./CN=www.poodletest.com/emailAddress=jullrich@euclidian.com

i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA

1 s:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA

i:/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIHzTCCBrWgAwIBAgIDApiOMA0GCSqGSIb3DQEBCwUAMIGMMQswCQYDVQQGEwJJ

Which is exactly what others quoted earlier here have shown, but can you exploit it? That's what's important here. There are probably hundreds of vulnerabilities in the current OS X 10.10.1 system, but they are only a threat if you have the ability to exploit them. Nowhere has Apple said you can't connect. They only said "This issue was addressed by disabling CBC cipher suites when TLS connection attempts fail." If the cipher suites are actually disabled, then any connection using one of them would seem to be moot.

The exploit = block CIPHERS

The test = https://www.poodletest.com

The test site (on purpose) only supports block ciphers as they are vulnerable to POODLE.

Nowhere has apple shown that CBC cipher suites are disabled.

Nowhere has apple shown that interjection from exploiter will fail.

Long Wu Yuan wrote:

Nowhere has apple shown that CBC cipher suites are disabled.

No, but they have said they are. Since when has it fallen on a company to prove everything they say other than in a court of law?

:-) get the drift now.

So use Safari and maximize the risk of losing money/happiness/both. Or not use Safari I guess.

Long Wu Yuan wrote:

So use Safari and maximize the risk of losing money/happiness/both. Or not use Safari I guess.

Sounds about right.

First I want to make it clear that I'm not defending Apple, just trying to present the facts that I've been able to keep track of. It's really up to the individual to be comfortable using any software they have based on the best information available. I would never take a position of trying to tell an individual what to do in cases like this. They need to make up their own minds.

What's a bit more of an issue is that there may be some financial institutions out there that will make the decision for you if they choose to block use of Safari in carrying out transactions. I suppose that's up to the institutions' IT departments to decide, but it would be nice if their industry was able to satisfy themselves through correspondence with Apple and their own testing what the correct policy should be.

There is a similar discussion going on in the forum concerning the NTP flaw that Apple claims to have patched. Just as Apple decided not to take the experts advise to disable SSLv3 in Safari, they decided not to adopt the patched version 4.2.8 of ntpd and came up with their own solution. I would guess that was probably because they started work on a fix before v4.2.8 was made available and rather than go through testing of 4.2.8 rolled out with their own fix. Now it seems the credit card POS industry has decided that any OS which does not have ntpd 4.2.8 is no longer in compliance of their PCI standards and therefore cannot accept credit card payments using OS X computers. I suppose that was the easiest way to test for compliance and based on what they were being told by the IT security community, rather than devise a test for the vulnerability itself.

They have a history of doing similar things. I recall may years ago when a major flaw was found in bzip2 which was patched by developers with a new version. Apple left the old version in place and patched something else to overcome the vulnerability, creating some concern among knowledgable users. Again, Apple Product Security responded to me that they were able to take a different route to blocking any exploit. There are similar examples involving Java updates prior to Oracle's finally stepping up with Java SE 7.

It is simple.

I submit a bug to Linux https://bugzilla.redhat.com/show_bug.cgi?id=1182623 and sense prevails.

Well there is always Apple Bug Reporter.

Sense does not prevail ;

You must be a Registered Apple Developer to file bugs via Bug Reporter.

Register at https://developer.apple.com/programs/register/.

After you have become a Registered Apple Developer, click here to log-in.