How to Disable SSL 3.0 and TLS 1.0 for Browser Security

Need an SSL certificate? SSL.com has you covered. Compare options here to find the right choice for you. ORDER NOW

Introduction

In the wake of the POODLE vulnerability, browser developers like Google and Mozilla took action to secure their latest browser versions. Firefox 35 and Chrome 40, for example, completely prohibited the use of the SSL 3.0 encryption protocol, as POODLE exploited this protocol as an attack vector. Microsoft also released patches and fixes for Internet Explorer 11 and announced their plan to fully disable SSL 3.0 by April 2015.

Disabling SSL 3.0 is undoubtedly a positive step for online security. However, the subsequent revelation that TLS 1.0 is also vulnerable has highlighted the need for further security measures. This article will guide you through the process of enhancing your browser security by enforcing the use of only the more secure TLS 1.1 and TLS 1.2 protocols.

NOTE: POODLE and similar exploits succeed when attackers can manipulate secure connections to fall back to outdated and vulnerable protocols. Even if you configure your browser to exclusively use TLS 1.1 / 1.2, you might encounter connectivity issues with websites that still rely on older, insecure protocols.

Website compatibility should be considered when implementing these changes.

Compare UCC and SAN Certificates, starting at $141.60 per year. COMPARE NOW

Disabling SSL 3.0 and TLS 1.0 in Internet Explorer

Go to top

To disable these older protocols in Internet Explorer, you can utilize the Internet Options settings within Windows:

1. Access Internet Options: Open the Control Panel and navigate to Internet Options. You can also access this menu from within Internet Explorer by clicking the Gear icon (Tools) and selecting Internet Options.

2. Navigate to Advanced Settings: In the Internet Options window, click on the Advanced tab.

3. Disable SSL 3.0 and TLS 1.0: Scroll down the Settings list until you find the Security section. Uncheck the boxes next to Use SSL 3.0 and Use TLS 1.0.

4. Enable TLS 1.1 and TLS 1.2 (Recommended): Ensure that the boxes for Use TLS 1.1 and Use TLS 1.2 are checked. These are more secure protocols and should be enabled for optimal security.

5. Apply Changes: Click Apply and then OK to save your changes. You may need to restart your browser for the changes to take full effect.

By following these steps, you will have successfully disabled SSL 3.0 and TLS 1.0 in Internet Explorer, enhancing your browser’s security posture.

Disabling SSL 3.0 and TLS 1.0 in Firefox

Go to top

Firefox users can disable SSL 3.0 and TLS 1.0 through the browser’s configuration editor:

1. Open Configuration Editor (about:config): In the Firefox address bar, type about:config and press Enter. You may see a warning message indicating “This might void your warranty!”. Click “Accept the Risk and Continue” to proceed.

2. Search for Security Protocols: In the search bar at the top of the about:config page, type tls. This will filter the list of preferences to show those related to TLS and SSL protocols.

3. Disable SSL 3.0: Look for the preference named security.ssl.version.min. Double-click on this preference to edit its value.

   • The default value is typically 0, which corresponds to SSL 3.0. To disable SSL 3.0, change the value to 1 (for TLS 1.0), 2 (for TLS 1.1), or 3 (for TLS 1.2). To ensure only TLS 1.1 and higher are used, set the value to 2 or 3. Setting it to 2 will enforce a minimum of TLS 1.1, and 3 will enforce a minimum of TLS 1.2. For maximum security, setting it to 3 is recommended.

4. Disable TLS 1.0 (Optional but Recommended): While setting security.ssl.version.min to 2 or 3 effectively disables TLS 1.0 as well, you can explicitly disable it for clarity. Look for security.tls.version.min and ensure it is set to at least 1 if you haven’t already set security.ssl.version.min to 2 or 3.

5. Restart Firefox: Close and restart Firefox for the changes to take effect.

After restarting Firefox, your browser will no longer use SSL 3.0 and TLS 1.0, improving your security while browsing the web.

Disabling SSL 3.0 and TLS 1.0 in Google Chrome

Go to top

Science marches on! A big hat tip (or large chapeau) to commentator John Giles for pointing out that using chrome://flags/ is the newest and easiest way to set minimum protocol versions in Chrome. We should note that Google hangs a red warning over using flags – however, our testing has yielded positive results. John says:

For Chrome, how about this?:

chrome://flags

Under “Minimum SSL/TLS version supported.”, change from “Default” to “TLS 1.1”.

Then hit the “Relaunch Now” button at the bottom of the page.

Thanks again, John!

Chrome Flags showing the “Minimum SSL/TLS version supported” setting highlighted.

Unlike Internet Explorer and Firefox which offer GUI based options, Chrome historically required command-line switches to enforce TLS 1.1 / 1.2 usage. However, as John Giles pointed out, Chrome now offers an easier method through its flags settings.

Using Chrome Flags (Recommended Method):

1. Access Chrome Flags: In the Chrome address bar, type chrome://flags/ and press Enter.

2. Search for Minimum TLS Version: In the search flags bar, type “minimum tls”. This will highlight the “Minimum SSL/TLS version supported” flag.

3. Set Minimum TLS Version: Change the dropdown menu from “Default” to “TLS 1.2” (or “TLS 1.1” if needed for compatibility, though TLS 1.2 is highly recommended for best security).

4. Relaunch Chrome: Click the “Relaunch Now” button at the bottom of the page to restart Chrome and apply the changes.

Alternative Method (Using Command-Line Switch – Less Recommended Now):

While the flags method is now the easiest, for historical context and in case flags are removed in future versions, the command-line method is as follows: Chrome can also be configured to use only TLS 1.1 / 1.2 by using a command-line switch – an argument added to the string that launches the browser. This is done by modifying the browser shortcut:

1. Find the Chrome Shortcut: Locate the shortcut you use to launch Google Chrome. This might be on your desktop, in the Start Menu, or on your taskbar.

2. Open Shortcut Properties: Right-click on the Chrome shortcut and select Properties.

3. Modify Target Field: In the Properties window, go to the Shortcut tab. In the Target field, you will see the path to the Chrome executable.

4. Add Command-Line Switch: After the existing path (outside of the quotes if the path is quoted), add the following command-line switch: --ssl-version-min=tls1.2 (or --ssl-version-min=tls1.1 if you need TLS 1.1 compatibility). Make sure there is a space between the existing path and the switch.

   Example: If your Target field originally was "C:Program FilesGoogleChromeApplicationchrome.exe", it should now look like: "C:Program FilesGoogleChromeApplicationchrome.exe" --ssl-version-min=tls1.2

5. Apply Changes: Click Apply and then OK to save your changes.

6. Launch Chrome via Shortcut: Crucially, you must launch Chrome using this modified shortcut for the changes to take effect. Simply opening Chrome in other ways (e.g., from the Start Menu directly if you didn’t modify that shortcut) will not apply the command-line switch.

By using either the Chrome Flags method or the command-line switch method, you can disable SSL 3.0 and TLS 1.0 in Google Chrome, enhancing your browsing security. The flags method is now significantly easier and recommended for most users.

Need an SSL certificate? SSL.com has you covered. Compare options here to find the right choice for you. ORDER NOW

Read on to find out more about:

Thank you for choosing SSL.com! If you have any questions, please contact us by email at [email protected], call 1-877-SSL-SECURE, or just click the chat link at the bottom right of this page. You can also find answers to many common support questions in our knowledgebase.