SSLv2 insecure - should be disabled by default

Eric Dorland
Sun, 10 Apr 2005 15:28:46 -0400

Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Lo?c Minier ( wrote:
>         Hi,
>  Galeon has specifically SSLv2 disabled in it's defaults
>  (security.enable_ssl2 is set to false in default-prefs.js).
>  I checked Firefox, Mozilla, and Epiphany: they all have this setting
>  set to true by default.
>  Upstream told me SSLv2 is quite insecure and shouldn't be in use in
>  current implementations.
>  I've searched for a summary of SSLv2 flaws, the best I could come up
>  with is at:
>     <>
>  The security flaws are really below current standards:
>  - weak MAC,
>  - no protection against man-in-the-middle attacks,
>  - same key is used for authentification and encryption,
>  - no protection against TCP connection closing.
>  I think we shouldn't ship browsers with SSLv2 enabled transparently by
>  default, and I suggest other browsers move to the same configuration.
>  [ Of course, it would be nicer if Mozilla-based browsers would source a
>  common config file. ]
>  This is bug #303849, where you can see that uses
>  SSLv2!

I would probably agree with this assessment. I had not realized SSLv2
had so many inherent weaknesses. As an alternative, we should probably
disable all 40-bit variants of the ssl protocols, since 40-bit
encryption doesn't provide a realistic amount of security these
days. I don't know how many sites use 40-bit anymore though. If it's
still a lot, that could be an unpopular move.=20

Eric Dorland <>
ICQ: #61138586, Jabber:
1024D/16D970C6 097C 4861 9934 27A0 8E1C  2B0A 61E9 8ECF 16D9 70C6

Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

Version: GnuPG v1.4.0 (GNU/Linux)