SSL 3.0 Disabled

Google researchers recently announced a vulnerability in version 3.0 of the SSL protocol.

Even though the SSL 3.0 protocol has been superseded by secure alternatives for at least a decade, most existing operating systems and Internet applications are willing to speak this old dialect for backward compatibility. Unfortunately, this willingness could be exploited by attackers to force modern web browsers and servers to communicate insecurely.

The researchers found that an attacker with control over your network connections (for example, on a public wifi network) could trick your web browser into leaking your personal “cookies.” These cookies could be used to assume your identity on secure web services.

Web browser vendors are working to push updates that would mitigate this risk by removing SSL 3.0 support from their software, but it may take months for these changes to trickle out to the majority of Internet users. Until that time, users of any service that still offers SSL 3.0 communications will be vulnerable to attack.

The only way to ensure that our users are protected from this vulnerability is to disable SSL 3.0 support on all of our servers so that they will only communicate with secure TLS. This will prevent attackers from tricking your browser into using the insecure protocol and stealing your identity.

We have disabled SSL 3.0 as of today. The majority of our users should not see anything different after the change. Unfortunately, there are two types of users who may have after SSL 3.0 is disabled:

First, people who access our systems through extremely old web browsers like Internet Explorer version 7 or earlier may see security errors on, as well as other sites like Twitter that have made this change. To fix this problem, install a more recent web browser.

Second, people who use Windows XP may see errors if they never installed Service Pack 3 and Internet Explorer 8 on their computers. These people should be able to fix the problem by installing Service Pack 3 and Internet Explorer 8 via Windows Update (or from Microsoft’s websites).

We apologize in advance for the disruption this will cause to users of those old browsers and operating systems, but we feel that this is the best way to protect all our users from attack.

Was this article helpful?
1 out of 1 found this helpful
Have more questions? Submit a request


Article is closed for comments.