SSLv2 insecure - should be disabled by default

Loc Minier lool@dooz.org
Mon, 11 Apr 2005 09:39:19 +0200


        Hi,

On Sun, Apr 10, 2005, Eric Dorland wrote:
> I would probably agree with this assessment. I had not realized SSLv2
> had so many inherent weaknesses. As an alternative, we should probably
> disable all 40-bit variants of the ssl protocols, since 40-bit
> encryption doesn't provide a realistic amount of security these
> days. I don't know how many sites use 40-bit anymore though. If it's
> still a lot, that could be an unpopular move. 

 Is this only a configuration change, such as
 security.ssl3.rsa_rc2_40_md5 = false?

 Such a change could be advertized in NEWS.Debian, with quick
 explanations on how to revert that on a system-wide or per-user basis.

 (I wonder if we shouldn't have a common postinst-snipset or a common
 config file to store such things and make the move at a single place.)

 Sample I'll ship in my next README.Debian upload:

Mozilla parameters
------------------
In some particular cases, you might need to setup the underlying Mozilla
components of Galeon.  This can be done via the .galeon/mozilla/galeon/user.js
file.  For example, to enable SSLv2 (which is disabled by default for security
reasons), insert the following JavaScript snipset:
    // SSLv2 is disabled by default because of security issues
    user_pref("security.enable_ssl2", true);

You can list other values by visiting the "about:config" page.



    Bye,
-- 
Loc Minier <lool@dooz.org>
"Neutral President: I have no strong feelings one way or the other."