Made to Order Software Corporation Logo
HomeBlogsAlexis Wilke's blog

Make sure your Thunderbird does not use SSL to avoid POODLE attack

Thu, 10/23/2014 - 15:39 —

A few days ago the news that SSLv3 was no good came out. The protocol allows for patterns that can be used by a hacker to decipher an encrypted message without the need for the private key. In other words, encryption using SSLv3 is no good (anymore--it never was, but we know this only now.)

We fixed our Apache2 settings, for those interested, you just have to turn off SSLv3 with the following setting:

SSLProtocol all -SSLv2 -SSLv3

Although to really remove all the encryption methods that are not that secure (can easily be cracked) you also want to change the list of ciphers with:

SSLCipherSuite HIGH:MEDIUM:!ADH:!MD5:!aNULL:!eNULL:!LOW:!EXP:!RC4

For your emails, you probably want to use TLS too, instead of SSL. If your are not in control of the mail server, then you may need to make sure that your tool does not accept connections using SSL. There is a picture of Thunderbird settings showing you how to change your account setup:

  1. On your account, right click and select Preferences or Settings
  2. Select Server Settings to see your IMAP settings
  3. Make sure it says TLS, at least that it does not say SSL

Thunderbird settings to use TLS instead of SSL.

Link: Testing our website with SSL Labs