You can disable support for the SSL 3.0 protocol on Windows by following these steps:
regedit, and then click OK.
|Windows Server 2003 Service Pack 2|
|Windows Server 2003 x64 Edition Service Pack 2|
|Windows Server 2003 with SP2 for Itanium-based Systems|
|Windows Vista Service Pack 2|
|Windows Vista x64 Edition Service Pack 2|
|Windows Server 2008 for 32-bit Systems Service Pack 2|
|Windows Server 2008 for x64-based Systems Service Pack 2|
|Windows Server 2008 for Itanium-based Systems Service Pack 2|
|Windows 7 for 32-bit Systems Service Pack 1|
|Windows 7 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1|
|Windows Server 2008 R2 for Itanium-based Systems Service Pack 1|
|Windows 8 for 32-bit Systems|
|Windows 8 for x64-based Systems|
|Windows 8.1 for 32-bit Systems|
|Windows 8.1 for x64-based Systems|
|Windows Server 2012|
|Windows Server 2012 R2|
|Windows RT 8.1|
|Server Core installation option|
|Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)|
|Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)|
|Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)|
|Windows Server 2012 (Server Core installation)|
|Windows Server 2012 R2 (Server Core installation)|
The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, aka the “POODLE” issue.
The vulnerability, which is more formally known as CVE-2014-0160, allows an attacker to read up to 64 kilobytes of memory per attack on any connected client or server. Heartbleed got its name because it is a flaw in OpenSSL’s implementation of the Heartbeat Extension for the TLS and DTLS protocols (RFC 6520).
The vulnerability, which is caused by poorly-written code, was discovered on the same day by Google and Codenomicon security researchers. The researchers quickly realized that an attacker could exploit the bug to exposeencrypted content, usernames, passwords, and private keys for X.509 certificates. Because OpenSSL is used by approximately 66% of all activewebsites on the Internet, many experts have called Heartbleed one of the worst security bugs in the history of the Internet.
Heartbleed vulnerabilities exist in all versions of OpenSSL released between March 2012 and April 2014, at which time the software defect was corrected and OpenSSL version 1.0.1g was released. To lessen the potential negative effects of Heartbleed, OpenSSL.org recommends that enterprises upgrade to the most recent version of OpenSSL and reissue X.509 certificates with new keys.
Microsoft is aware of detailed information that has been published describing a new method to exploit a vulnerability in SSL 3.0. This is an industry-wide vulnerability affecting the SSL 3.0 protocol itself and is not specific to the Windows operating system. All supported versions of Microsoft Windows implement this protocol and are affected by this vulnerability. Microsoft is not aware of attacks that try to use the reported vulnerability at this time. Considering the attack scenario, this vulnerability is not considered high risk to customers.
Microsoft is announcing that SSL 3.0 will be disabled in the default configuration of Internet Explorer and across Microsoft online services over the coming months. We recommend customers migrate clients and services to more secure security protocols, such as TLS 1.0, TLS 1.1 or TLS 1.2.
When you're a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation… Read More
Systemd is new service manager for Linux. It's a replacement for all previous init systems (SysV/SysVinit & Ubuntu's Upstart) and… Read More