SSLv2 insecure - should be disabled by default
Sun, 10 Apr 2005 10:43:35 +0200
Galeon has specifically SSLv2 disabled in it's defaults
(security.enable_ssl2 is set to false in default-prefs.js).
I checked Firefox, Mozilla, and Epiphany: they all have this setting
set to true by default.
Upstream told me SSLv2 is quite insecure and shouldn't be in use in
I've searched for a summary of SSLv2 flaws, the best I could come up
with is at:
The security flaws are really below current standards:
- weak MAC,
- no protection against man-in-the-middle attacks,
- same key is used for authentification and encryption,
- no protection against TCP connection closing.
I think we shouldn't ship browsers with SSLv2 enabled transparently by
default, and I suggest other browsers move to the same configuration.
[ Of course, it would be nicer if Mozilla-based browsers would source a
common config file. ]
This is bug #303849, where you can see that networksolutions.com uses
Loïc Minier <firstname.lastname@example.org>
"Neutral President: I have no strong feelings one way or the other."