SSLv2 insecure - should be disabled by default
Loïc Minier
lool@dooz.org
Mon, 11 Apr 2005 09:39:19 +0200
Hi,
On Sun, Apr 10, 2005, Eric Dorland wrote:
> I would probably agree with this assessment. I had not realized SSLv2
> had so many inherent weaknesses. As an alternative, we should probably
> disable all 40-bit variants of the ssl protocols, since 40-bit
> encryption doesn't provide a realistic amount of security these
> days. I don't know how many sites use 40-bit anymore though. If it's
> still a lot, that could be an unpopular move.
Is this only a configuration change, such as
security.ssl3.rsa_rc2_40_md5 = false?
Such a change could be advertized in NEWS.Debian, with quick
explanations on how to revert that on a system-wide or per-user basis.
(I wonder if we shouldn't have a common postinst-snipset or a common
config file to store such things and make the move at a single place.)
Sample I'll ship in my next README.Debian upload:
Mozilla parameters
------------------
In some particular cases, you might need to setup the underlying Mozilla
components of Galeon. This can be done via the .galeon/mozilla/galeon/user.js
file. For example, to enable SSLv2 (which is disabled by default for security
reasons), insert the following JavaScript snipset:
// SSLv2 is disabled by default because of security issues
user_pref("security.enable_ssl2", true);
You can list other values by visiting the "about:config" page.
Bye,
--
Loïc Minier <lool@dooz.org>
"Neutral President: I have no strong feelings one way or the other."