Protecting you against the SSL 3.0 vulnerability

Share on Facebook Share on Twitter Share on Linkedin Share via OneNote Share via Email Print

As we announced yesterday, driving innovations in security capabilities of Office 365 is a top priority. We understand that the security of your data is important and we’ll continue to be transparent about our approach. To that end, we wanted to share details around Security Advisory 3009008. This advisory provides guidance related to a vulnerability in Secure Sockets Layer (SSL) 3.0 which could allow information disclosure. This is an industry-wide vulnerability that affects the protocol itself and is not specific to Microsoft’s implementation. To help protect our customers further, we will be disabling fallback to SSL 3.0 in IE, disabling SSL 3.0 by default in IE, and across Microsoft online services, over the coming months.

Starting on December 1, 2014, Office 365 will begin disabling support for SSL 3.0. This means that from December 1, 2014, all client/browser combinations will need to utilize TLS 1.0 or higher to connect to Office 365 services without issues. This may require certain client/browser combinations to be updated.

Although analysis of connections to Microsoft online services shows very few customers still use SSL 3.0, we are providing customers with advance notice of this change so they can update their impacted clients prior to us disabling SSL 3.0.

The following resources provide guidance for customers and administrators to ensure clients are utilizing TLS 1.0 or higher and to disable SSL 3.0 proactively.

  • You, as an individual, can use the Fix it, which is available for all supported versions of IE, to disable SSL 3.0 in your browser and help ensure you are protected from this vulnerability.
  • For managed desktop environments, this TechNet article provides guidance on how to determine if your environment has users connecting via SSL 3.0. If any users are identified, Security Advisory 3009008 provides guidance on how to apply a group policy to update the settings.
  • If you are an Azure customer, also visit the Azure blog for more information.

For general information about our approach to security, visit the Office 365 Trust Center.