After the recent POODLE unpleasantness, both Google and Chrome secured their latest browser versions (Firefox 35, Chrome 40) by barring the use of the SSL 3.0 encryption protocol entirely, since POODLE utilizes this protocol as an attack vector. (Microsoft has released various patches and quick-fixes for Internet Explorer 11 and states they’ll completely disable SSL 3.0 in April 2015.)
Disabling SSL 3.0 is definitely a Good Thing. However, the subsequent revelation that TLS 1.0 is also vulnerable seems to have caught them on the off foot – TLS 1.0 is still enabled by default in all three major browsers as of this writing. In this article, we will show you how to protect yourself by forcing your browser to use only the safer TLS 1.1 and TLS 1.2 protocols.
- Left-click the gear icon:
- Select “Internet options” from the dropdown menu:
- Click the “Advanced” tab, scroll down and deselect “SSL 3.0” and “TLS 1.0”.
- Click “OK” to accept your changes, which should take effect immediately. (You may need to refresh your browser.)
- In the address bar, type “about:config” and hit enter.
- In the “Search” field, enter “tls”. Find and double-click the entry for “security.tls.version.min”.
- Set the integer value to “2” to force a minimum protocol of TLS 1.1 (entering “3” would force TLS 1.2).
- This configuration will now show the new value and will take effect immediately (don’t forget to clear your cache).
Unlike IE and Firefox, Chrome can
only be made to use TLS 1.1/1.2 by a command-line switch – an argument added to the string that fires up the browser. This can be implemented by setting up a shortcut as we will show you below, but note that ONLY starting Chrome from this shortcut will prevent use of insecure protocols.
To create a secure shortcut:
- Right-click on your desktop and select “New”, then “Shortcut”.
- In the “Create Shortcut” panel, browse to the location of your Chrome installation and select the Chrome icon – the default location is:
C:Program Files (x86)GoogleChromeApplicationchrome.exe
- Add the following command line switch
--ssl-version-min=tls1.1after the item location (i.e., after the ending quote) to appear thus:
"C:Program Files (x86)GoogleChromeApplicationchrome.exe" --ssl-version-min=tls1.1
- Name the shortcut (SSL.com suggests giving it a unique name which will remind you that this shortcut is secure) and click “Finish.”
- Again, the only way to be certain that your Chrome session is secure will be using your new shortcut.