SSLv2 insecure - should be disabled by default

Eric Dorland eric@debian.org
Mon, 11 Apr 2005 20:51:39 -0400


--opJtzjQTFsWo+cga
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Lo=EFc Minier (lool@dooz.org) wrote:
>         Hi,
>=20
> On Sun, Apr 10, 2005, Eric Dorland wrote:
> > I would probably agree with this assessment. I had not realized SSLv2
> > had so many inherent weaknesses. As an alternative, we should probably
> > disable all 40-bit variants of the ssl protocols, since 40-bit
> > encryption doesn't provide a realistic amount of security these
> > days. I don't know how many sites use 40-bit anymore though. If it's
> > still a lot, that could be an unpopular move.=20
>=20
>  Is this only a configuration change, such as
>  security.ssl3.rsa_rc2_40_md5 =3D false?

Yes. There are a few more 40 bit ciphers though.=20
=20
>  Such a change could be advertized in NEWS.Debian, with quick
>  explanations on how to revert that on a system-wide or per-user basis.

Good idea.

>  (I wonder if we shouldn't have a common postinst-snipset or a common
>  config file to store such things and make the move at a single place.)

It would certainly be possible, probably should be targeted
post-sarge.=20

>  Sample I'll ship in my next README.Debian upload:
>=20
> Mozilla parameters
> ------------------
> In some particular cases, you might need to setup the underlying Mozilla
> components of Galeon.  This can be done via the .galeon/mozilla/galeon/us=
er.js
> file.  For example, to enable SSLv2 (which is disabled by default for sec=
urity
> reasons), insert the following JavaScript snipset:
>     // SSLv2 is disabled by default because of security issues
>     user_pref("security.enable_ssl2", true);
>=20
> You can list other values by visiting the "about:config" page.

Well Firefox (and I'm pretty sure straight Mozilla) has checkboxes in
the Preferences dialog for SSLv2 as well.

--=20
Eric Dorland <eric.dorland@mail.mcgill.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
1024D/16D970C6 097C 4861 9934 27A0 8E1C  2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--opJtzjQTFsWo+cga
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCWxubYemOzxbZcMYRAnHrAKCmS93p96PEh5D/bqEMVAwAVyHjAACgnhjI
xYciFwtwydqGWh8/QE3p8uE=
=P4sC
-----END PGP SIGNATURE-----

--opJtzjQTFsWo+cga--