SSLv2 insecure - should be disabled by default
Sun, 10 Apr 2005 15:28:46 -0400
Content-Type: text/plain; charset=us-ascii
* Lo?c Minier (email@example.com) wrote:
> Galeon has specifically SSLv2 disabled in it's defaults
> (security.enable_ssl2 is set to false in default-prefs.js).
> I checked Firefox, Mozilla, and Epiphany: they all have this setting
> set to true by default.
> Upstream told me SSLv2 is quite insecure and shouldn't be in use in
> current implementations.
> I've searched for a summary of SSLv2 flaws, the best I could come up
> with is at:
> The security flaws are really below current standards:
> - weak MAC,
> - no protection against man-in-the-middle attacks,
> - same key is used for authentification and encryption,
> - no protection against TCP connection closing.
> I think we shouldn't ship browsers with SSLv2 enabled transparently by
> default, and I suggest other browsers move to the same configuration.
> [ Of course, it would be nicer if Mozilla-based browsers would source a
> common config file. ]
> This is bug #303849, where you can see that networksolutions.com uses
I would probably agree with this assessment. I had not realized SSLv2
had so many inherent weaknesses. As an alternative, we should probably
disable all 40-bit variants of the ssl protocols, since 40-bit
encryption doesn't provide a realistic amount of security these
days. I don't know how many sites use 40-bit anymore though. If it's
still a lot, that could be an unpopular move.=20
Eric Dorland <firstname.lastname@example.org>
ICQ: #61138586, Jabber: email@example.com
1024D/16D970C6 097C 4861 9934 27A0 8E1C 2B0A 61E9 8ECF 16D9 70C6
-----BEGIN GEEK CODE BLOCK-----
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
-----END PGP SIGNATURE-----