SSL 3 is dead

Just for completeness: If you still didn’t note dispite the various reports: SSL 3 is considered to be “dead”. Also see the article about this at Security Labs.

For me this was no surprise – I don’t use SSL 3 on my servers anyway for more than a year. At least TLS 1.0 is required. So far I never had any complaint by users of my services that they can not use them because of that.

Therefore I generally recommend to turn off SSL 3, for example in Apache with the following configuration:

SSLProtocol all -SSLv2 -SSLv3

As an end user you should also disable SSL 3 in your browser. On the test page by SSL Labs you can check if your browser is affected by the problem.

Update 2014-11-08: If you use older software on your server which does not allow to modify the SSL configuration you should have a look at the “TLS Imposer”.

Leave a public comment

Your email address will not be published. This is not a contact form! If you want to send me a personal message, use my e-mail address in the imprint.

You can use the following HTML tags in the comment:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>