SSLv3: Update Your Browsers

TL;DR

The SSLv3 protocol is very old and insecure. Modern browsers should have it disabled by default, but it’s worth checking to be sure. This guide shows you how to confirm SSLv3 is disabled in common browsers.

Why does this matter?

SSLv3 has known vulnerabilities that attackers can exploit. While less of a risk now than in the past, keeping it enabled leaves your connection open to potential attacks like POODLE. Most websites no longer support SSLv3 anyway.

Checking and Disabling SSLv3

1. Google Chrome:
   • Chrome automatically disables SSLv3. You can verify this by typing chrome://flags in the address bar, searching for ‘SSLv3’, and confirming it’s disabled.
   • You can also check using a tool like SSL Labs Server Test to see which protocols your browser supports when connecting to a website.
2. Mozilla Firefox:
   • Type about:config in the address bar and press Enter. Accept the risk warning.
   • Search for security.tls.version.min.
   • The value should be set to 3 (TLS 1.2). If it’s lower, change it to 3. A value of 0 means all TLS versions are enabled, which is fine as long as SSLv3 isn’t explicitly re-enabled elsewhere.
   • Search for security.ssl3.enable_clicktls and ensure it is set to false.
3. Microsoft Edge:
   • Edge automatically manages TLS versions and disables SSLv3. There isn’t a direct setting to change.
   • Use the SSL Labs Server Test tool to verify support.
4. Safari (macOS):
   • Safari relies on the macOS system settings for TLS configuration. Ensure your macOS is up-to-date, as newer versions disable SSLv3 by default.
   • To check: Open Terminal and run openssl s_client -connect example.com:443 (replace ‘example.com’ with a website). Look for lines indicating supported protocols; SSLv3 should not be listed.

Using Online Tools

The easiest way to check if your browser supports SSLv3 is using an online SSL testing tool:

• SSL Labs Server Test: https://www.ssllabs.com/ssltest/ This tests the server’s configuration, but also shows you which protocols *your browser* is using to connect.
• Qualys SSL Labs: https://test.qualys-ssl.com/ Similar functionality to SSL Labs Server Test.

What if a website *requires* SSLv3?

If you encounter a website that insists on using SSLv3, do not use it. It’s extremely rare in 2024 and indicates a serious security problem with the site. Contact the website owner to report the issue.