This content has been marked as final. Show 53 replies
In mine (default settings) SSL3.0 is ticked as well as SSL2.0 but not TLS1.0, and I believe that 3.0 overrides 2.0 anyway. I am aware that as of IE7 SSL2.0 has been regarded as a security risk.
TLS1.0 isn't used any more as far as I know & isn't selected by default, in my setup anyway.
(I'm wondering if the default settings may vary depending on what operating system you are using).
Security Center is in fact an IE page albeit internal and relies upon IE being set at its default settings, so if you change them it may malfunction, or, as in your case, may alter them back.
This is a rather technical question which can't be directly answered on this board. I'll have to flag it internally and hope that someone at McAfee HQ can answer it.
Sorry but we are just unpaid volunteers here, not McAfee staff, but if I flag it, hopefully someone from McAfee will come up with an answer for you.
Thank you for replying. I do appreciate you flagging my question for McAfee staff to look at it.
You wrote, "TLS1.0 isn't used any more as far as I know ...". All of the financial and e-commerce web sites that I visit do use TLS 1.0 over SSL 3.0, if both are enabled in the web browser. TLS 1.0 is an improvement over SSL 3.0 (see http://csrc.nist.gov/publications/nistpubs/800-52/SP800-52.pdf for details). And as you noted, SSL 2.0 is a security risk. So it seems wrong to me for SecurityCenter to enable the least secure protocol (SSL 2.0) and disable TLS 1.0. Hopefully, McAfee will investigate the issue and respond.
Thanks again for your help.
According to Microsoft TLS1.0 isn't enabled by default in any version of IE, see: http://support.microsoft.com/kb/811834
From a Google search it appears that it should only be enabled if a particular website demands it. It's one of the older transport layers.
I've never had it enabled here and have no problem with online financial transactions.
I guess it's a matter of what's needed at the time.
However, getting McAfee to change that behaviour would, I doubt, be a lost cause as the default settings are what Security Center looks for and those are SSL 2.0 and SSL 3.0.
Anyway, I have asked.
I was having exactly the same problem that pigglety described on 5-16-09 at 07:49am. I actually called McAfee tech support in Aug 2009 and told them about the problem. I even provided them with the excellent technical info that pigglety provided.
At first McAfee technicians totally denied McAfee Security Suit would make any changes to the Windows Vista registry file. After speaking to three different McAfee technicians, I finally found someone in McAfee who admitted that there was indeed a bug in McAfee Security Suit, and everything would be fixed in the next updated version. I took the technician at McAfee at his word, and I have been patiently waiting for the next version of McAfee to be released.
On Sept 21, 2009 McAfee Security Center (build 9.15.126) was released, and I installed it on my PC. I was really hoping that it would finally fix the issue where McAfee Security Security Center would automatically enable SSL2 on IE8 as well as Google Chrome. Well guess what? The newest build does NOT fix the problem. Everything that pigglety described on 5-16-09 is still true today, even with the newest McAfee Security Center installed.
I am so disappointed with McAfee. It was a royal pain explaining over and over again the SSL2 software bug to the McAfee technicians. I have absolutely no desire to spend another hour on the phone going thru that drill again!
If anyone has a solution, please let me know. Thanks!
Are you sure that these so-called default settings aren't ones that are in fact custom set by the commercial concerns?
In all my various installations ranging from XP and IE6 up to Windows 7 and IE8 the default SSL2 and 3 are the only ones checked by default in IE. That's with or without McAfee installed.
These can be manually altered of course.
I have never known these settings to be changed by any McAfee version, despite what the technicians may or may not have said. They aren't the developers and are only basically call center workers.
I would say your argument is more with Microsoft than it is with McAfee.
Yes I am sure.
If I disable the SSL2 option in IE8 or Chrome, it will remain disabled unless I launch McAfee Security Center.
Immediately after McAfee Security Center is launched, SSL2 will be re-enabled on IE8 and Chrome. It is such a pain.
So what is the big deal anyway? SSL3 automatically overrides SSL2 in any case. According to Microsoft.
I acknowledge that it is not a catastrophic problem. However, it really bothers me that McAfee Security Center is overriding the way that I have manually configured IE8 and Google Chrome browsers.
It also concerns me that McAfee does not follow through in fixing bugs that have been reported to them.
By the way, I would imagine that Microsoft dictates to all security software manufacturers whose products are designed to interact with Windows Security, that such settings must be protected, so McAfee in this case is only protecting the default settings, which is a function of security software after all.
Im sure a Microsoft Newsgroup or Forum would bear me out on that.
Addendum: I doubt such processes could be discussed in open forum as they involve patented/copyrighted processes from both Microsoft and McAfee. I do know that all security software makers have to follow a set of guidelines laid down by Microsoft. So I doubt you can blame McAfee totally for this.
I guess for now the answer is, don't open Security Center while using those settings.
The 2010 products will be releasing soon so who knows, things may change.