SSLv2 insecure - should be disabled by default

Loïc Minier lool@dooz.org
Sun, 10 Apr 2005 10:43:35 +0200


        Hi,

 Galeon has specifically SSLv2 disabled in it's defaults
 (security.enable_ssl2 is set to false in default-prefs.js).

 I checked Firefox, Mozilla, and Epiphany: they all have this setting
 set to true by default.

 Upstream told me SSLv2 is quite insecure and shouldn't be in use in
 current implementations.

 I've searched for a summary of SSLv2 flaws, the best I could come up
 with is at:
    <http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm>
 The security flaws are really below current standards:
 - weak MAC,
 - no protection against man-in-the-middle attacks,
 - same key is used for authentification and encryption,
 - no protection against TCP connection closing.

 I think we shouldn't ship browsers with SSLv2 enabled transparently by
 default, and I suggest other browsers move to the same configuration.

 [ Of course, it would be nicer if Mozilla-based browsers would source a
 common config file. ]

 This is bug #303849, where you can see that networksolutions.com uses
 SSLv2!

   Bye,
-- 
Loïc Minier <lool@dooz.org>
"Neutral President: I have no strong feelings one way or the other."