edit-icon download-icon

[Vulnerability notice] SSL 3.0 security vulnerability

Last Updated: Mar 19, 2018

Vulnerability description

Similar to the previous Heartbleed vulnerability, the security vulnerability in SSL 3.0 allows hackers to extract private information of certain bytes from the secure connections covered by SSL 3.0 through special means.

SSL 3.0 has been available for 15 years and is supported by most browsers now. If your browser fails to connect to the server by using the latest security protocol due to a bug, it tries to use the security protocol of an earlier version (including SSL 3.0) for connection. When attacking a server or a single user account, the hacker can design a connection failure deliberately to trigger the browser to use SSL 3.0 and obtain key information from the user account or the server.

How to fix

Chrome users can use the command line tool to disable SSL 3.0.

Windows users

  1. Completely close Chrome.
  2. Make a copy of your Chrome shortcut.
  3. Right-click the new Chrome shortcut and click Properties.
  4. Enter the command —ssl-version-min=tls1 at the end of the field of the target.

macOS X users

  1. Completely close Chrome.
  2. Locate the built-in terminal.
  3. Enter the command /Applications/Google\ Chrome.app/Contents/MacOS/Google\ Chrome —ssl-version-min=tls1.

Linux users

  1. Completely close Chrome.
  2. Enter the command —ssl-version-min=tls1 in the terminal.

Firefox users: Click About > Settings, enter about:config in the address bar, and set security.tls.version.min to 1.

Thank you! We've received your feedback.