Thursday, October 30, 2014

Disabling SSLv3 in Firefox

With the recent discovery of the POODLE vulnerability in the SSLv3 protocol, I wanted to change my Firefox configuration to disallow SSLv3.  Mozilla released an extension for this called SSL Version Control, but I decided not to install it given its somewhat sketchy reviews.

No problem I thought.  Time to open the advanced configuration in Firefox by entering "about:config" in the address bar and make the change there.  Searching for "security", will show many configuration settings that start with "security.ssl3".  Some of them will be set to true and some to false.  You would think setting all the values to "false" here would be the solution.  Nope!  Don't do it.  Although the settings have "ssl3" in their name, they actually apply to both SSLv3 and all three TLS versions (1.0, 1.1, and 1.2).  If you change them all to false, both SSLv3 and TLS will be disabled and your browser will be incapable of communicating securely at all.

The correct solution, as described here, is easier.  Just set "security.tls.version.min" to 1, which means that TLS v1.0 is the minimum allowed version.  When set to 0, it means that SSLv3 is allowed.  I hope that helps.

This is a temporary work-around anyway as Mozilla says that SSLv3 will be disabled by default starting with Firefox 34.