Information technology tools and resources at the UW
20151222: Nebula to disable SSLv3
Nebula will disable SSLv3 on Nebula workstations and servers which still have it enabled.
What and When:
On Tuesday, January 5th, 2016, Nebula will configure managed desktops and its servers to no longer permit SSLv3.
SSLv3 is broadly used to encrypt sessions, but it is also very old and now considered insecure. Disabling SSLv3 should have little to no impact because there is broad support for TLS and no obvious impact on the user experience to using TLS instead of SSLv3. While the most secure option should be chosen when a client connects to a server, there are situations where that doesn’t happen, so this change will ensure that Nebula does not permit a less secure scenario.
What You Need to Do:
Nothing, unless you are responsible for a web server or other service that uses this protocol, in which case you should update to a stronger encryption protocol as soon as possible.
This is primarily an advisory to let you know that we’re making a design change to make Nebula more secure.
There is a vulnerability in the cryptographic protocol Secure Sockets Layer version 3, or SSLv3 (see https://technet.microsoft.com/en-us/library/security/3009008.aspx). In order to prevent malicious actors intercepting your data, Nebula is disabling the weakened protocol SSLv3 for all Nebula managed desktops and all Nebula servers.
This change could affect anyone still using a service protected with SSLv3, and anyone using a version of Internet Explorer prior to 11. Since this protocol is being dropped across the industry, it is unlikely that you will be affected unless you use a site or service still only using SSLv3. If you anticipate or experience any difficulties that you believe are related to this change, please email email@example.com with the subject line “Nebula SSLv3 Change”.