Microsoft announced today that it is offering Internet Explorer 11 users an option to disable the SSL 3.0 protocol. Microsoft had previously announced that it would be disabling the vulnerable SSL 3.0 by default in its flagship browser Internet Explorer by December, but it seems to be taking some extra time. The company says that it will disable SSL 3.0 by default on February 10th, 2015.
For those of you who are unaware, in October Google revealed a major security flaw in the widely used SSL 3.0 (Sockets Layer). The vulnerability dubbed PODDLE (Padding Oracle On Downgraded Legacy Encryption) allowed decryption of encrypted connections to websites. The age old vulnerability affected Internet Explorer, as well as other popular browsers including Firefox and Chrome. The SSL 3.0 already has been succeeded by Transport Layer Security, however the former is still prevalent and is is still required for compatibility by several old browsers including Internet Explorer 6. The SSL 3.0 omits validation of certain pieces of data that accompany each message. This is an exploit attackers use to decipher the entire data byte by byte.
Microsoft’s move to offer an option to disable SSL 3.0 protocol comes weeks after both Mozilla and Google implemented the said feature on their respective browsers. Chrome removed the fallback to SSL 3.0 with Chrome version 39, and Mozilla offered the same feature with the Firefox version 34 which it released earlier this month. Today's update is also applicable to the enterprise customers, who can now configure the settings manually by adjusting Group Policy. But the normal users will have to wait until February 10, or run a "Fix It" patch.