On 04/11/2014 21:11, DoctorBill wrote: > I teach at a local Com College and access their > E-Mail web site. > > They said something called "POODLE" has appeared > and tell me to disable SSL 3.0. > > Being a complete nerd concerning my SM 2.12.1 > Browser, I am wondering if this would cause me > problems in the future. > > Wikipedia says SSL 3.0 is obsolete (????) and TSL > 1.0 is the new thing. > > All that means squat to me, so I am asking for > some meager enlightenment. > > If I disable SSL 3.0 will bad things happen to me? > > ...and yes...I know....update my SM to 2.29.1 > which I loath to do (2.12.1 seems to work fine).
TSL 1.0 is only "the new thing" if you define "new" as in "not yet eligible to vote if it was a human being." TLS 1.0 is almost sixteen years old. What the "POODLE" thing means is that someone figured out a basic weakness in the SSL 3.0 protocol. Note that this is NOT a fault in Mozilla's, Apache's or anyone else's implementation; it's a fault in the design of the protocol itself. It's not going to get "fixed", because "fixing" it involves changing the protocol -- and that's not necessary, because TLS (which is essentially an evolution of SSL) is already widely deployed. In fact, you have probably been using it for years -- your browser negotiates with the server the most advanced encryption protocol both of them support, and that almost always means at least TLS 1.0 (and fairly often, TLS 1.1 or 1.2) The reason it becomes necessary to disable SSL is because part of the attack involves deceiving your browser into downgrading the connection to SSL 3.0 instead of using TLS. The way to prevent it is to refuse using SSL 3.0 altogether. For most people, disabling SSL 3.0 won't cause any problems, because just about all servers support TLS. Except if you need to access some sort of intranet server, that is. Many intranet servers haven't been updated since they were first deployed, and may be running on very old versions of IIS that don't have TLS enabled by default. But those old servers usually don't work well with modern browsers anyway. Anyway, the easy and painless way to disable SSL 3.0 (recommended by the Mozilla organization, by the way) is to install the SSL Version Control add-on: https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/ Note that the page link is greyed out because the page is meant for Firefox users, but you can install it on Seamonkey regardless -- just click on the greyed-out button and then click on "download anyway". It works fine on Seamonkey. Just use it to set "minimum SSL version" to "TLS 1.0". Future versions of Firefox (and, I presume, Seamonkey) will have SSL 3.0 disabled by default. -- MCBastos This message has been protected with the 2ROT13 algorithm. Unauthorized use will be prosecuted under the DMCA. -=-=- ... Sent from my Philips Pronto. * Added by TagZilla 0.7a1 running on Seamonkey * Get it at http://xsidebar.mozdev.org/modifiedmailnews.html#tagzilla _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
