Working on the latest SSL3 vulnerability (POODLE) and wondering if you can detect if the browser viewing the website has SSL3 enabled in their settings and if so prompt them with a message.
Asked
Active
Viewed 568 times
2 Answers
0
It is not possible to get that browser setting from plain Javascript. However, you could get that setting from a browser extension. In fact there are extensions that manipulate that setting like:
https://addons.mozilla.org/en-US/firefox/addon/ssl-version-control/
However, there are sites that display if the client browser allows SSL3 connections like:
After some analysis i have concluded they both use the same approach to verify if a client browser supports SSL3. They have setup a webserver that supports only SSL3 connections (for ssllabs it is deployed at https://www.ssllabs.com:10300 and for zmap at https://ssl3.zmap.io/sslv3test.js) and then they issue a request from the client browser (using JavaScript) to these URL's, and if the connection gets aborted they know that that SSL3 is not enabled in the browser. If they get a 200 response, they know the browser supports SSL3.
Faris Zacina
- 14,056
- 7
- 62
- 75
0
This is actually sort of backwards. Ideally, if there was a site that ONLY supported TLS, you could test via script whether that is accessible. And if it fails, then you know that user will be impacted when you turn off SSL. Or maybe no one cares to try and phase users over with a week or two of warning and instead just plans to yank SSL and see what happens.
Eric LeVine
- 49
- 1