The recent discovery of the “Poodle” vulnerability in the decades old implementation of the SSL 3.0 cryptographic protocol has taken the security researchers by surprise. The SSL (secure sockets layer) protocol is used for transferring the data between your web browser and the web servers securely over an encrypted connection. Usually such encrypted connections are used for sensitive information like login passwords, online banking, funds transfer etc. Due to the “Poodle” vulnerability in the SSL 3.0, if you use SSL 3.0 for encryption of a connection, a determined attacker can find about the information being transferred.
In order to mitigate “Poodle” based attacks, you should disable SSL 3.0 in Microsoft Internet Explorer and enable TLS 1.0, TLS 1.1 and TLS 1.2 instead. The TLS cryptographic protocol (all versions) are not affected by this vulnerability. Here is how you can enable TLS and disable SSL 3.0 in Microsoft Internet Explorer:
- Open Internet Explorer. Click on the gear-like icon on the top-right corner and select Internet Options from the menu.
- In the Internet Options window, select the Advanced tab. Scroll down the list of settings and under the category Security, uncheck the checkboxes for SSL 2.0 and SSL 3.0. Then select the checkboxes for TLS 1.0, TLS 1.1 and TLS 1.2.
- Click on the OK button to save the settings. That’s it – you have enabled the TLS protocol and disabled SSL 3.0 successfully.
Microsoft has also issued a Microsoft FixIt tool to take care of this “Poodle” vulnerability in Windows. You can download the Microsoft FixIt 51024 tool and run it on your Windows computer to let it fix the settings for you automatically. Microsoft has also announced that they will disable SSL 3.0 by default in the new versions and updates of Internet Explorer in the future, so that you do not have to disable it yourself manually.
For more information about the Poodle vulnerability and how it affects Microsoft Internet Explorer, you can visit https://technet.microsoft.com/library/security/3009008.
“TLS 1.1, TLS 1.2 and TLS 1.3” should be changed to “TLS 1.0, TLS 1.1 and TLS 1.2”, as seen on the second screenshot.
Not enabling TLS 1.0 can make user unable to visit some sites, and TLS 1.3 doesn’t exist in browsers yet.
Thanks for pointing this out 🙂
Comments are closed.