Alternate article title
Redmond screws the pooch.
Microsoft has issued new guidance on the POODLE (Padding Oracle On Downgraded Legacy Encryption) SSL vulnerability, including a one-click utility that can automatically disable SSL 3.0 in Internet Explorer. The Fix It utility, which was released on Wednesday, is a reversible workaround for all versions of Redmond's browser …
I use IE, and Iron and Firefox (used to use Opera, but due to their inability to grasp corporate proxies gave up).
I've yet to find a single one that will work properly on all websites and internal kit that requires web access (and no nothing to do with ie6 compatibility).
These days, as much as I hate to say, I'm finding ie10 about the most compatible.
So feel free to pretend you have found the ultimate browser, because I've yet to.
The great thing about standards is there are so many of them.
... that if I go into Firefox's about:config and change security.tls.version.min from 0 to 1, and I then get "Error code: ssl_error_no_cypher_overlap" when I try to connect to a website, that website should be avoided, especially from public networks, because it is vulnerable to POODLE? And does that mean if I apply the IE fix I won't be able to reach it either?
Good job it's only our corporate web mail server.
Actually - I found an extra IE Window tucked behind another window. After I closed all open sessions of IE and ran again it seemed to fix it. Out of curiosity I tried the site with the latest version of Chrome and it was vulnerable. I found these instructions for disabling it manually.
https://zmap.io/sslv3/browsers.html
I think you've missed the point here.
Assuming Microsoft's own servers haven't been compromised, counting the number of people who connect with SSL3 is only counting those incapable of better security (basically IE6 users). The point of the poodle vulnerability is that anyone capable of downgrading to SSL3 (i.e. the vast majority of people) is vulnerable even if they use a higher security by default.
"The point of the poodle vulnerability is that anyone capable of downgrading to SSL3 (i.e. the vast majority of people) is vulnerable even if they use a higher security by default."
Yes - this patch and the info I posted above here prevent your own browser from being downgraded to SSL 3. Obviously we can't control where users are going. Most servers out there are using the higher protocol as their start point.
The security info I am trying to find now is if their VPN tunnel like on Server 2012 anywhere access has been patched yet. If not, how do I turn it off on my end in case someone uses an older browser or something.