Ever since the “Poodle” vulnerability was discovered in the SSL 3.0 cryptographic protocol, all the web browsers development teams are promising discontinuation of the support for the SSL 3.0 in the future versions of their web browsers. The Mozilla Firefox and Microsoft Internet Explorer have already made a statement related to SSL 3.0 and how to mitigate the impact of the newly discovered vulnerability. Now Google has also stated that in the upcoming version 40 of the Chrome browser, the support for the SSL 3.0 protocol shall be withdrawn. Google is going to release the new version 40 of the Chrome browser somewhere in the December 2014. If you cannot wait till the version 40, then you can take these steps to disable SSL 3.0 and protect yourself from possible “Poodle” attacks:
- Right-click on the Google Chrome shortcut on your desktop and select Properties. You can also do the same for any other Google Chrome shortcuts that you use for launching the Chrome browser.
- In the Properties window that opens up, switch to the Shortcut tab. Then in the Target command line, append –ssl-version-min=tls1 after a space. This parameter in the command line forces Chrome to use TLS 1.0 as the minimum version for the cryptographic protocols.
- Click OK to save the changes. You may see a admin access dialog in which you have to click on Continue button to proceed with making the changes.
- That’s it. Now when you launch the Chrome browser from that shortcut, it will not use SSL 3.0.
Conclusion: Although Chrome does not provide any settings to disable SSL 3.0 directly, you can still manage to disable SSL 3.0 using a command line parameter. Disabling SSL 3.0 in Chrome will provide you with protection against possible “Poodle” based attacks.