Half Monk 697 Report post Posted October 16, 2014 Mozilla has announced that SSL version 3.0 will be disabled by default in Firefox 34, which is due for release on November 25. The announcement comes in the wake of a vulnerability that was discovered in said version of the security protocol which, according to the company, is used by Firefox for around 0.3% of HTTPS connections, or "millions of transactions per day". For those who can't wait until the next release, the company has also created the SSL Version Control Firefox extension to disable SSLv3 immediately. The code to disable SSLv3 will be available shortly via Mozilla Nightly, a nightly build of the latest development version of the web browser, and will be promoted to Aurora and Beta in the next few weeks, the company said. Mozilla also said that as an additional precaution, Firefox 35 will support a generic TLS downgrade protection mechanism SCSV which, if supported by the server, prevents attacks that rely on insecure fallback. To stay safe, the company is advising all to ensure that Firefox is configured to receive automatic updates under Preferences -> Advanced -> Update. The SSL v3.0 vulnerability was recently uncovered by Google researchers, who dubbed it as "Poodle", short for Padding Oracle On Downgraded Legacy Encryption. "By exploiting this vulnerability, an attacker can gain access to things like passwords and cookies, enabling him to access a user’s private account data on a website", Mozilla said. 1 Share this post Link to post Share on other sites
