Firefox Moving On From SSL 2.0

Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."

Online banking

[Saiyine]

How will this affect the end user? Will it break the online banking webs?

--
Superb hosting 4800MB Storage, 120GB bandwidth, $7,95.
Kunowalls!!! Random sexy wallpapers (NSFW!).

Re:Online banking

[daviqh]

It shouldn't and if it does, than the Mozilla Corperation will urge that they use SSL 3.0.

Re:Online banking

[AKAImBatman]

In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

Re:Online banking

[elwin_windleaf]

I'm not sure if this is just my knee-jerk reaction from using old technology frequently, but when I hear "remove support" it usually gets associated with bad things in my mind...

Re:Online banking

Please do not spam with a fake sig. Thanks

Re:Online banking

[ergo98]

SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

Good point. Hopefully they can catch the morons running TCP/IP and HTTP as well, those idiots.

Re:Online banking

Yes it will, if they're still using v2. From what the mozilla guys have said there are only about 2000 known sites that break. Apparently a "rather large ISP" recently upgraded to 3.0 and that removed the last large chunk of servers that were still on v2.

2000 sites on the whole web isn't really a lot. But yes, some sites will break.

Re:Online banking

[AKAImBatman]

Uh, yeah. Expect that 3.0 has been the recommended replacement for nearly 10 years now. So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

Re:Online banking

[macdaddy]

Honestly, no. The laws governing financial institutions and the protection of their customers' financial data should prevent banks from supporting SSL 2.0 or less. I can't think of any bank websites that I've come across that require anything less than a browser with 128-bit SSL encryption. Now I must admit that my memory is a bit rusty on this topic but I believe most browsers started offering 128-bit encryption when they moved to SSL 3.0 (but not on 2.0 certs). IE5 comes to mind.

Re:Online banking

[ergo98]

So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

No, it sould have been replaced due to its insecurity. Period.

The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out, burning themselves when it is vetted and found to have dozens of weaknesses. You original message clearly put all of the emphasis on the age factor as if we all need to carbon date all of the technologies we use to determine worthiness.

Re:Online banking

[Iriel]

Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.

Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.

Re:Online banking

[niney]

Mozilla isn't really in a position to be telling banks what to support. The banks will just block them out again if their browser doesn't do what they want. (Yes, I know, you can spoof your user agent string, but not everyone will do this)

In the past, it's been the other way around, they had to support autocomplete=off (an IE tag) due to insistence from banks: (bugzilla link)

Re:Online banking

[AKAImBatman]

Let me put it this way: It should have been replaced due to its age in relation to the maturity of the newer versions available. Especially when compared with the insecurity of the old version vs. the proven security of the new version.

Happy?

Re:Online banking

[bill_mcgonigle]

How will this affect the end user? Will it break the online banking webs?

No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

Re:Online banking

Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result.

Sometimes I think that too.

Re:Online banking

[Tony+Hoyle]

Co operative bank in the UK were SSLv2 only until only recently (~9 months ago IIRC), when they replaced their entire online site with a new one.

When I queried it they said it was because their version of java didn't support v3.

I change banks.

Re:Online banking

Happy?

No. I absolutely must have the last word. There. Now I'm happy.

AC on behalf of ergo98.

Re:Online banking

I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.

Sorry, that was me, but that user-agent string is just fake. I use that whenever I'm not claiming to be GoogleBot.

Kidding aside, NS3.0 had support for SSL 3.0, as did NS 2.0. Personally, I haven't seen NS 2.0 for quite some time.

Re:Online banking

Tools -> Options -> Advanced -> Security

Uncheck SSL 2.0

Test away.

Re:Online banking

[AdamWeeden]

I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE

In some cases it isn't a decision of laziness, but of business. My former employer (a web devlopment firm) determined the webshare that non IE browsers got for one of our clients. It was only 5%. They then determined how much business that client did per year and figured out how many extra hours (and thus extra cost to the client) it would cost to make the features we were developing acceptable by alternative browsers (FF/Netscape/Mozilla/Opera/etc). The cost outweighed the extra profit, so we developed IE centric solutions.

Keep in mind I say this as someone who uses Firefox almost exclusively.

Re:Online banking

[jZnat]

And that damn proprietary attribute (that doesn't seem to be disableable) is used by a few E-Mail providers *cough* in order to piss me off by making me use an easier password rather than a 20+ character one generated by something like KeePass.

Re:Online banking

The way this works it would be really silly to specifically exclude a browser for lack of SSL2.0. Either you support SSL3.0 on the server side, then there is no reason to exclude a non-2.0 browser, or you don't support SSL3.0 on the server side, then there is no communication (the connection hangs), regardless of your user-agent string. This is an extremely annoying behaviour, for which both the Firefox developers and the website operator will receive complaints, but the only one with an easy _and_ secure fix is the webmaster. So that's where this is going to be solved.

Re:Online banking

there not lazy, there ignorant as well as insane.

they go out of there way to make there sites only work for ie.

i donno why they do it, there either BOFH or just plain insane in the membrain

Re:Online banking

[jZnat]

Er, what about HTTP/1.1? It's around the same age as SSL 3.0 IIRC, so there's no harm in that.

And TCP/IP is already trying to be updated (IPv6), but much less successfully as of now.

Re:Online banking

[Cally]

SSL 2.0 is so old that it should have gone the way of the Dodo bird.

The game was up when a Bond villain, discovering that it's trivial to hack some top secret installation, says contemptuously "*pffft* , they're using SSL - version two." And that was in 1997.

Re:Online banking

[bunratty]

Of course, now that non-IE browsers are used three times as much as then, the extra profit should be three times greater and probably now outweighs the cost. Making the site compliant with non-IE browsers now will probably only cost more than it would have to support them to begin with, and the profit the site could have been making all this time from users of those browsers is now lost. It would have been more profitable to support non-IE browsers from the start, rather than reverse the decision to support IE.

Re:Online banking

[dolphinling]

Go to about:config, right click and make a new boolean, name it wallet.crypto.autocompleteoverride, and set its value to 1 (or true).

The banks don't let it be the default, or even have it be a normal preference, but it's okay to have it be hidden like that.

Re:Online banking

Yea I had that the other day too. We had a project where we needed to input a few hundred million records into a database. I determined that the cost of writing a program parsing the file and inserting it was more then the cost of paying a bunch of student workers to enter the data by hand with a old terminal on one side and a new pc on the other. Now I only pray I never have to import the same kind of data again.

Re:Online banking

[swillden]

The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out

No, the age thing is just practicality, in this case. SSLv2 is old, and so you'd have to be running a really ancient web server to have one that doesn't do v3. How many could there be who haven't upgraded? Well, according to Netcraft, in 1995, when SSLv2 was the current standard for web security, there were around 19,000 web sites. Today there are around 70 million. So, even if all 1995 servers were left un-updated, and all of them used SSL, that means that today only around 0.03% of the web uses SSLv2. But, in fact, very few sites back then used SSL at all... if we're generous and call it 10%, then that's 0.003% of sites today, but only if none of them updated to a newer web server. I think it's safe to assume that 99% of them have updated, given how much web server technology has matured since then, so I'd estimate there may be something on the order of 20 web sites in the world using SSLv2 today. Probably less, since sites that care about security are mostly commercial sites, and they both constituted a smaller proportion of the total sites back then, and are more likely to have updated.

Security is the reason SSLv2 *should* be gone. Age is the reason it is gone.

Re:Online banking

[jonwil]

Written properly, you should be able to make code that is cross-browser from day one without adding extra headaches vs developing specifically for IE.

You just develop for the subset of HTML that is supported by all the browsers (i.e. IE6/7, Firefox, Mozilla, Opera, Safari) and only write browser specific hacks when there is no way to get it done any other way (e.g. to work around bugs in IE).

Disclaimer: IANA web developer so I could be off base as to how hard it is to do this in a real world setting. Also, I have no idea how many people out there need to support old browsers like IE5 or IE/NS4.

Re:Online banking

You've never heard of Perl, have you?

You must be new around here.

Re:Online banking

In the context of the discussion this makes absolutely no sense. I suspect this moron AC replied to himself to imagine himself the victor, when in reality he came out looking the idiot.

Re:Online banking

just plain insane in the membrain

That would be membrane.

Re:Online banking

[macdaddy]

That's very interesting. What the hell version of Java are they running anyways? Java was pretty damned infantile before SSLv3 came out.

Re:Online banking

No NO, I've heard of it. The cost of learning a new skill was not worth it to my employer. I will do everything in excel vba or nothing at all.

Re:Online banking

Well, I'm running an OS that has IPv6 enabled by default.

Now, my router doesn't, but that's because IPv4 is working fine for the time being. In the future it is quite possible for that to change.

Re:Online banking

[evilviper]

[...] it should have gone the way of the Dodo bird.

As opposed to the Dodo fish, the Dodo plant, and the Dodo subatomic particle. ;-)

Re:Online banking

Breaking? No... they are already broken. You shouldn't use online banking w/ banks that does not focus on security. And I think that Mozilla should educate users to avoid these sites. (For avoidance of money loss, of course)

Good

[Metteyya]

If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.

Re:Good

[AKAImBatman]

Ooo! You're right! We better tell people to stop using RSA and HTTP immediately!

Be careful about such sweeping statements, please. They're more often wrong that right. And I know of quite a few people who are happy that RSA is finally out of patent protection. :-)

Re:Good

[ergo98]

If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.

RSA was designed in 1977.

Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.

Re:Good

[Dachannien]

I've been using POP to fetch my e-mail from the same address for 11 years.

Re:Good

[DA-MAN]

I've been using POP to fetch my e-mail from the same address for 11 years.

Oh, I'm so sorry. . .

Maybe you should look into IMAP! :)

Re:Good

[kerry-buckley]

Be careful about such sweeping statements, please. They're more often wrong that right.

"More often"? Sweeping generalisations are always wrong!

Re:Good

Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.

That's exactly what I keep telling my girlfriend!

Re:Good

[TrappedByMyself]

Be careful about such sweeping statements, please. They're more often wrong that right

So sweeping statements aren't more often wrong?

I'm still trying to figure out who shaves the damn barber!

Re:Good

[kunkie]

If this technology is 11 years old, then I don't think anyone would like to use it today. The wheel has been used for thousands of years yet I can't find many people who don't want to use it...

Re:Good

[CuBr]

I agree, you should be careful about sweeping statements. They are ALWAYS wrong.

Re:Good

[jZnat]

HTTP isn't that outdated. I mean, at least it was updated more recently that MSIE's renderring engine was!

Basically, SSL 2.0 is to HTTP/1.0 as SSL 3.0 is to HTTP/1.1

Re:Good

[jacksonj04]

SSL 2.0 is to SSL 3.0 as HTTP/1.0 is to HTTP/1.1 surely?

Re:Good

[Dave2+Wickham]

I don't know about you, but I certainly wouldn't want crude, tyre-less wheels on a racing car.

Re:Good

[Bert64]

But the difference here is, there is nothing which supercedes the wheel while still being easy enough (and therefore cheap) to implement.. Sure, we could build an aircraft or a helicopter but they`re far more complex...
On the other hand, the same systems which implement SSL2 can easily implement SSL3 instead, there is no reason to be using an obsolete technology when a better one is available for the same cost/effort.

Re:Good

Yes... because we're FORCED! I obviously want to have some secure options, but that is not available.

Don't remove it - just disable it.

[caluml]

Why remove - why not just disable, and make it an entry in a config file to re-enable it? I'm all for removing any software that is insecure, but this might cause trouble for users trying to access sites. It's all about choice, people.

Re:Don't remove it - just disable it.

[daviqh]

The funny thing is that it isn't clear if they will remove it as says remove, and then disable, but they phrase it so that it appears as if the writer messed up and Mozilla is really disabling it. We will never really know.

Re:Don't remove it - just disable it.

It's all about choice, people.

Of course. You can choose to use Firefox and not access certain sites, or you can choose to scrap Linux, install Windows, and use IE7 which will continue to support SSL2.0 -- and which will start luring users back away from Firefox.

In all seriousness, I agree with you. Make it an option, not a necessity.

Re:Don't remove it - just disable it.

[sdirrim]

Why remove it? this is going to cause some problems for older sites, and could cut down on Firefox's popularity, and that is important for a browser with less that 20% market share.

Re:Don't remove it - just disable it.

[Leffe]

If it was made an option deprecated services would just put in a notice to enable it instead of upgrade. And thus negate the change in Firefox.

Re:Don't remove it - just disable it.

[PornMaster]

Or at least pop up a "HEY, THIS SITE IS USING 11 YEAR OLD ENCRYPTION, TELL THEM TO UPGRADE" dialog box.

Re:Don't remove it - just disable it.

[Spy+Hunter]

That *is* what they're going to do.

Re:Don't remove it - just disable it.

I believe they're just flicking a switch in about:config to turn it off. v3 cannot run with v2 enabled because of the way teh architecture works.

Re:Don't remove it - just disable it.

[ginotech]

security_ssl2 = false just did that myself.

Re:Don't remove it - just disable it.

[Tony+Hoyle]

My last bank was still using SSL2 only 12 months ago, and I've not heard they've changed.

Re:Don't remove it - just disable it.

Or at least pop up a "HEY, THIS SITE IS USING 11 YEAR OLD ENCRYPTION, TELL THEM TO UPGRADE" dialog box.

But Firefox blocks pop-ups.

Re:Don't remove it - just disable it.

[aneroid]

there are already 2 (basic) entries in about:config...
security.enable_ssl2
security.enable_ssl3

there are more pertaining to specific encryptions like security.ssl2.des_ede3_192 and security.ssl3.dhe_dss_aes_256_sha.

(right click -> 'toggle' to disable)

i do agree that they shouldn't remove it; just 'disable by default'.

Re:Don't remove it - just disable it.

[iive]

It is already disabled by default.
And you haven't even noticed!!

lol what

omg ssl 3.0! *jumps to death*

P.S. Slashdot is slow. Please fix. KTHXBYE

P.P.S. Hillariously, my captcha is "lagoon". LOL

Oh the heartbreak

[infonography]

All the good times we have shared with SSL 2.0 now they will be gone. SSL 2.0 will locked in it's room sobbing and won't come out for a week. Well Firefox, I hope your satisfied, go on! Go off with your new Friends, see if SSL 2.0 cares.

Oh and SSL 2.0 want's it's ring back, otherwise there will be a messy lawsuit.

Uh.. okay?

Is SSL3 backward compatible?

Re:Uh.. okay?

The browsers will always pick v2 over v3 for some strange reason that I don't understand

Re:Uh.. okay?

[DJCater]

If you start a request with SSL3 HELLO, and the server has SSL2 only, the connection apparently hangs. However, vice versa doesn't, and means that a follow-up SSL3 HELLO can be sent if the first one fails (at least, that's how I see it.)

SSL 3 since 1996!

[Anakron]

I'd be very surprised if any sites are still using SSL 2.0
Seeing a nice yellow "secure" address bar is reassuring for most people (I assume. It's reassuring to me). Using a known bad encryption scheme is almost like fraud, then.

Re:SSL 3 since 1996!

[daviqh]

It makes us all feel much safer, lets just hope no one writes a script to show the yellow bar when not secure.

Re:SSL 3 since 1996!

[jonadab]

> Seeing a nice yellow "secure" address bar is reassuring for most people

Err, no. Yellow is *not* a reassuring color. Blue is a reassuring color. Green, maybe. Yellow is usually associated with warnings and danger. And of course there's the obvious truism that most computer users don't know what SSL is or what the implications are.

Supporting the latest

[LegendOfLink]

What always amazes me about the Mozilla Foundation is the push to support the newest and latest.

Now everybody might be thinking this is good for security and all; but I like it because of other reasons: namely because it allows to me exude tech eliteness amongst normal Windows users. Yep, I'm serious. I'm an IT admin, and people will tell me, "Dude, how do I stop spyware?" What do I say?

I preach Firefoxism and nobody can argue back. What can they say? Um, IE has really awesome, um...Active-something controls...which causes the spyware in my computer to make my machine inoperable...um...yeah. It's great. And no matter what Microsoft puts out, it'll always be one step behind! Thanks Mozilla!

Re:Supporting the latest

[kerplunk1984]

What i would say to that is that while Firefox may be the current clear winner when it comes to spyware/security concerns, its success will be its downfall.

Soon Firefox users will be a big enough percentage of the global browser market to become a viable target. It will only be a matter of time before spyware and virus authors are giving the latest Firefox build just as much of their special kind of attention as the latest offering from Microsoft.

That's not to say that microsoft hasn't built in certain "features" which mean its browser is fundamentally less secure, but if there's one thing i have learned from using the internet, its that all software is considered secure until the first major vulnerability is discovered.

Security

[halltk1983]

Hrm... wonder how long it take Microsoft to come out with a statement saying FF is becoming less secure, as they are taking out security functions.

Isn't a big deal...

[GoNINzo]

You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.

You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh

Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

Re:Isn't a big deal...

[praseodym]

SSL2.0 is checked off for me though, in a clean Firefox install. So I think they will go further than only that.

Re:Isn't a big deal...

[GoNINzo]

Yeah, they are doing the first step of dropping the install default, and then they plan to drop the code entirely so they don't have to update it everytime they make a change.

Re:Isn't a big deal...

[Bargearse]

By default, IE6 has TLS 1.0 switched off, and SSL 2.0 and 3.0 switched on.

Positive

[Red+Flayer]

Good move by Mozilla.

At the very least, this has prompted more attention to the fact that SSL 2.0 is not so secure.

Even if some sites continue to use it, it is never a bad idea to bring attention to a flawed security system when a fix is easily available.

Of course, some of us now might have to have two legacy browsers installed in order to use all the sites we want to (IE & an older FF) -- unless SSL 2.0 is reversibly disabled.

Re:Positive

[PornMaster]

Well, if the failure mode is relatively silent, i.e. "It's just broken. I hate my computer. I'm getting a Mac.", then you haven't brought more attention to the problem.

Fail loudly, blaming the other side for their lack of concern for data security. That's the way to bring about change.

Re:Positive

[Red+Flayer]

"Fail loudly, blaming the other side for their lack of concern for data security. That's the way to bring about change."

Or get media attention, and customers who contact you demanding a change.

The stimulus for change doesn't have to be painful... but it helps!

Re:Positive

[Bert64]

It is noisy, it says that it cannot communicate with the remote site because SSL 2.0 is disabled, tho it could be more clear about why SSL 2.0 is a bad idea, as the current error message will just encourage people to turn it back on.

Disable It

Keep it but just disabled it.

Has anyone done tests to see if servers still use SSL2?

Re:Disable It

[DJCater]

I can confirm that there are at least 100 sites out there that use SSL 2.0 only.

A few examples follow (turn off SSL 2 to see the problems):

https://secure.muttluks.com./
https://www.wilmerhalealumni.com./
https://www.burinka.cz./

Re:Disable It

Up until last year, the Network Solutions website would only work with SSL 2.

Have been surfing with SSL 2.0 disabled for years

[swimgeek]

At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

Great

It'll make more space for SVG ;-)

Look out for your interests ...

Here's how you can make sure the sites you're interested in will still work after the upgrade.

The link posted in that site won't display the problem -- visit the wiki to display the problem (https://register.btinternet.com/ is a current offender).

That's nice and all

[JediTrainer]

And I love Firefox. I do. And I try to get everyone I know using it.

But would it kill the developers to fix one really annoying, yet increasingly serious bug?

I'm speaking of large file download support. I ran across this when trying to download the Knoppix 4 DVD, which is 3GB, to a filesystem that supports files up to 4GB. Basically it starts downloading fine, but after the first two GB the progress bar goes wonky (reading negative file size downloaded) and the file on disk gets corrupted. I guess it's a signed int problem or somesuch.

I checked with Bugzilla (no link from /. allowed) and indeed, this sucker is confirmed and has been known for over a year.

Yeah, yeah, I know BT is better except I was downloading at work where the firewall won't let me use that. But it was shameful that I ended up having to use IE to download that .iso file.

Re:That's nice and all

it sounds like the 2GB file system limits

Re:That's nice and all

wget and ftp are your friends

Re:That's nice and all

[diegocgteleline.es]

I checked with Bugzilla (no link from /. allowed)

That doesn't means you can't put it here so other people can contribute: https://bugzilla.mozilla.org/show_bug.cgi?id=22896 8

You know, this is what opensource is for - you can help and fix it yourself, the mozilla foundation may not have enought programmers to solve those bugs...

Re:That's nice and all

[slavemowgli]

The problem with Mozilla is that they're so swamped with bugs that some developers at least seem to have stopped caring about *any* bugs at all whatsoever anymore - to the point where they will not only not fix them, but actively try to prevent others from fixing them. Give bug 18574 a look some time, for example...

Unfortunately, there's not really much you can do. Firefox *is* wildly popular, so those at the top of the Mozilla foundation (Asa Dotzler etc.) don't even realise that some things are going wrong - they've stopped listening to the people, just like Microsoft has, after convincing themselves that those who disagree are just a small bunch of disgruntled nay-sayers. Considering Firefox' popularity, that's not a difficult thing to do, but it's still wrong - you should always listen to your users.

Unfortunately, it seems that Mozilla is heading further in this direction, with the creation of a new for-profit company that's supposed to take over from the non-profit organisation and all that. I fear that this will be used as an excuse to listen to the actual users even less - and I don't doubt that this new incarnation of Netscape (which is what it'll be, essentially) will reward Asa and co with a nice monthly sum for the whole thing, too.

In the end, what it really boils down to is PR vs. the actual product - if PR (i.e., telling people that your product is good) is more important than actually *making* your product good, everyone loses. The only exception are those at the top of the pyramid who make money that way - but the actual users will lose out, and that's even sadder when you consider that projects with more PR will usually attract more users, too.

Microsoft (Windows), Mozilla, MySQL - this is what they all have in common. They're all not really all that great at what they're supposed to do, but there's so much PR that they're still successful. And unlike with Windows and MySQL, where you have Linux/*BSD and PostgreSQL as free and better alternatives, there seems to be no real alternative to Mozilla - Opera is payware, Konqueror only runs on Linux/KDE, Safari is for OS X etc. Where is the free, no-crap browser for Windows? There seems to be none.

Re:That's nice and all

[a11]

it sounds like you need to get hooked on phoenics. he explicitly said his fs supports up to 4gb. and that IE wrote the file fine on the same fs. and that you're a fucking dumbass.

Re:That's nice and all

I know about 10 big websites that few years ago didn't support any other browsers than IE. Now all of them support alternative browsers also. And Firefox is the reason for this. So if Firefox hasn't done anything else good, it has made the web a little better place to live.

I suffered from one major bug in Firefox also. You know what they did for that? They fixed it. I also suffered from another bug, you know what happened with that? They fixed it. I also suffered from poor update system, guess what they have in beta 1 and upcoming 1.5 version? That's right, improved update system. So they do listen and they do fix bugs. But it is impossible to fix all the bugs and it is impossible to please everyone.

Re:That's nice and all

[jonadab]

> The problem with Mozilla is that they're so swamped with bugs that some
> developers at least seem to have stopped caring about *any* bugs at all
> whatsoever anymore - to the point where they will not only not fix them,
> but actively try to prevent others from fixing them. Give bug 18574 a
> look some time, for example...

If this bug is typical of the sort of thing you're complaining about, go soak your head. If it were me, I'd have closed that bug as NOTABUG aeons ago. There are an infinite number of bizarroid image formats out there that, for one reason or another (in some cases good reasons, in some cases not, but that is neither here nor there) have not become important or common on the web. MNG is an ideal example and practically a case study in irrelevancy; it has been languishing in irrelevancy for years and shows absolutely ZERO signs of EVER breaking out of that and gaining any significant mindshare or import. The component owner is absolutely right to exclude this sort of nonsense. Mozilla is *not* primarily an image viewer; it is primarily a web browser, so the image formats it should support are ones that are *used on the web*, not every single obscure image format someone thinks is cool. (And that's quite aside from the fact that the main selling point of MNG is that it supports animation, something right-thinking people have been wanting to rid the web of since some misguided cretinous loser decided to introduce looping animated GIFs in Netscape 2.0; the only thing worse than animations on the web was the <blink> tag, may it rest in pieces.)

You speak of preventing bugs from being fixed, but if this is what you're talking about, you should speak of preventing irrelevant features that aren't even vaguely web-related from being needlessly introduced into a web browser.

Re:That's nice and all

[dolphinling]

It's a troll, but I'll bite and see if I can get a free worm.

This is just wrong. A bit of research (http://weblogs.mozillazine.org/asa/, http://planet.mozilla.org/ shows that the developers, including Asa, routinely listen to users and often ask for comments. And from the point of view of an insider (bugs I've reported: 55), developers respond quickly and helpfully to anyone who isn't wasting their time, and even those who are but do it in a curteous way.

A few other specific points: the Mozilla Corporation is not for-profit. Nothing about a corporation says it has to be. It merely falls under business laws, making it easier for other businesses to interact with Mozilla.

And with respect to bug 18574, it's the one about MNG support. To quote a few things from the bug:

However, MNG inclusion won't even be considered until there is true reason to include it. According to some numbers I believe I saw at libmng or png.org/pub/mng, the number of MNG/JNG images ranges in the hundreds or the low thousands. Period. Worldwide. Ever. Almost all of these images are also set up as testcases, not as practical media on sites.

Its not something that'll likely change going forward, unless MNG support is really low cost (i.e. not 200-300k). At 50-80k the case becomes stronger, of course. The "if you support it, they will come" argument is weak, since we did support this for three years and the content didn't come.

Re:That's nice and all

[Blakey+Rat]

I think Safari might have been more convincing. After all, Windows users *can* use IE when they need to, but Macintosh users have three choices: Opera, Firefox, and Safari. Since Safari is the system default browser, that's what 95% of Mac users use. I would wager most sites redesigned after IE for Mac was discontinued to keep their Mac-using customers. I could be wrong, of course.

Re:That's nice and all

[hkmwbz]

"we did support this for three years and the content didn't come"

Yeah, back when no one knew about Mozilla (Firefox). But now Firefox is all over the place, and can make a difference. Lousy argument.

Not that I necessarily think the original poster is right when he whines about this non-bug (it's asking for a new feature, not reporting something that doesn't work as designed).

Re:That's nice and all

[Dave2+Wickham]

There are a few counter-examples off the top of my head for that; my bank and mlb.com both support Firefox but not Safari. Pearson VUE also mention Firefox but not Safari (click on the "Sign In" link). I've also seen quite a few people still using IE on OSX (it still works). Not that I'm saying that you're wrong, it's just that it seems to me to be happening as Firefox gets bigger.

Re:Have been surfing with SSL 2.0 disabled for yea

[Timesprout]

What you do in your spare time at the beach is your concern. We are interested only in how disabling SSL 2.0 affects our web browsing.

why remove it?

[PureCreditor]

by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

the code-bloat related to SSL 2.0 must be tiny relative to other portions, such as Gecko

besides, Mozilla can always offload SSL 2.0 into a DLL module which doesn't need to be loaded unless a SSL 2.0 site is encountered, thus minimizing memory utilization

and if the SSL 2.0 module conflicts with a new feature, then they should decide whether it's worth the extra effort to keep SSL 2.0 around. but for now, the status quo will do.

Re:why remove it?

Please, please know what you're talking about before speaking.

(1) "disable support" certainly means *keeping* SSL 2.0 code but disabling it by default in the prefs

(2) i never heard of DLLs on Windows or Linux

(3) there are loads more but just RTFA and know what u talk about.

Re:why remove it?

> (2) i never heard of DLLs on Windows or Linux

Window = .DLL
Linux = .so

Re:why remove it?

[Anders]

by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

The problem is that SSL 2.0 servers will hang on a 3.0 handshake. So the 2.0 handshake is tried first.

Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.

Re:why remove it?

[cehf2]

You don't end up using the worst SSL version, a well written server will use the best common SSL version.

The SSL handshake is a multi-step process, it is only the initial 'ClientHello' record that is in the SSLv2 format. Inside that record is information telling the server the maximum SSL version the client supports. The SSL server will then respond with an SSLv3 (or TLS) 'ServerHello' record, and from that point on, the server and client will complete the SSLv3 handshake.

There isn't any security problems leading with an SSLv2 ClientHello message, the only problems come from when the server only support SSLv2 and so an SSLv2 handshake has to be completed.

If you don't believe me with any of this, download ethereal or ssldump and see what SSL versions each of the encoded SSL records is returned as.

fixed in firefox 1.5?

[diegocgteleline.es]

------- Additional Comment #127 From Christian Biesinger (:bi) 2005-04-05 16:53 PDT [reply] -------

checked in. firefox and seamonkey should work.

bug 288585 is for camino
bug 289214 for embedding/browser/cocoa
bug 289216 for photon
bug 289218 for powerplant

Bug 289219 for not QIing mInner in nsDownloadProxy (toolkit)
Bug 289220 for not QIing mInner in nsDownloadProxy (xpfe)

Bug 289221 for making exthandler an nsIProgressEventSink.

Marking FIXED!

Bugzilla entry and sites listed at Wiki

[jjMick]

Mozilla community has a separate Bugzilla entry at https://bugzilla.mozilla.org/show_bug.cgi?id=76162 . However, sites tested (SSL2 turned of via Tools menu) after May '05 are listed to http://wiki.mozilla.org/Necko:SSL_v2_Sites Wiki page.

You might think I'm kidding...

[Stecco]

...but to login on the wi-fi network of my university (http://www.polito.it/ SSL 2.0 is required. The fun part is that we HAVE a IT department, and they TEACH us that SSL 2.0 is deprecated... but obviously the brilliant minds of our teachers are better employed elsewhere... (and we buy rubbish from third parts)

I would assume...

[Kr3m3Puff]

That the desire to remove the technology also makes the job of testing easier, especially when dealing with security related code, I am sure that testing of this is more of annoyance. People expect it to be secure and unexploitable. Then you can focus your development and patches on new code.

This isn't just about making stuff compatible for the users. Then the developers can focus on MSIE quicky mode rendering instead of SSL 2.0!

This is news?

[KhaZ]

Sorry, maybe I'm missing something:

But why is it a big deal that they're upgrading?

I thought this was a news site: not freshmeat or version tracker.

Is there some other item of importance here that I'm missing?

Me too

Except it's been since 1995. It might be because I never buy anything online. Not that I'd ever trust the Internet for anything secure, such as money transactions.

Try the standalone OffByOne browser with the "Fake SSL" setting enabled. It seems to get me in just about anywhere....

Actually...

[kula.shinoda]

They were asking for people to submit sites that still use SSL 2, and they had found a mere 2000 left that people actually used that still used it (down from 10000 when they began this push).

Amen

I agree that some of the developers refuse to fix some easy, but annoying bugs. One of them is the Backspace issue, also known as World War III. It would not be difficult to give the users the option to make the Backspace key behave properly (page up instead of going to a previous page in the browser's history.) But they will not listen. I could very well jump to Opera, which has the ability to fix key mappings, especially now that they gave out free registrations recently....

Re:Amen

Try the keyconfig extension.

Opera is your answer

Where is the free, no-crap browser for Windows? There seems to be none.

Opera is free, that is, if you took advantage of the free registrations they gave out last week.

RSA

[jd]

RSA sucks on performance, which is why most people only use it to encrypt secret keys. If you want to use public-key encryption for actual data, you're probably better off with Elliptic Curves or HFEs. (Unfortunately, HFEs are plastered with patents - despite being a class of functions - so you can't use them in Free or Open Source Software. Elliptic Curves are available for use, however.)

The complete list of public-key encryption algorithms in general use is as follows. (There will be others, they just aren't in any kind of general use in the public or private sectors.)

• HFE
  
• NTRU
  
• Elliptic Curve Ciphers
  
• RSA
  
• XTR
  

As for those who replied arguing that sweeping statements are always wrong (at least, those who did so seriously), I would refer you to the Liar's Paradox. After which, apply your statement to itself. Those who replied as a joke, already aware of the absurdity, I would remind you this is Slashdot and therefore subtle humour may well escape many readers.

I always disable it, does no harm AFAICT

[Paul+Crowley]

I nearly always switch this off when I'm fiddling with the preferences on the browser. Haven't found anything it doesn't work with so far...

There's a tiny hole the size of an iceburg in your

[Safety+Cap]

argument:

Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

Ecommerce Developer

[justinpfister]

How will this effect our websites? Do we have to make sure the company that provides the SSL uses SSL3.0?

Good

[ChiralSoftware]

When you have a situation where 99% of the sites on the net have upgraded, you have two basic options:

1. Keep on supporting them forever.
2. Stop supporting them and force them to upgrade.

#2 is usually the right thing to do. It's especially right in this case. Every single line of code that processes remote user input (ie, every line of SSL and any other web server code) could potentially contain a security vulnerability. Developers are not actively working on this antique code so bugs will be left there, perhaps forever. If you're looking for holes, abandoned code is a good place to look. This is similar to the Linux vulnerability not long ago where there was some obscure bug in the processing of a.out files that let binaries escalate. Well, we don't use a.out format anymore. We use ELF format and have for years, so no one was paying attention to that antique code. It should have been removed from the kernel, but it wasn't.

The second issue is that OpenSSL is maintained by volunteers. I'd rather have them working to make a small set of features perfect, instead of wasting time on dead code that almost no one is using. Would you rather have the GCC crew working on improving Java or Fortran support?

Re:There's a tiny hole the size of an iceburg in y

[ChatHuant]

Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

So Apache 2 has had 27 Secunia advisories, with 2 still unpatched, and IIS 6 has only had 3, of which one is still unpatched. Seems to support the GP's theory pretty well. Your point?

Re:There's a tiny hole the size of an iceburg in y

[the_womble]

The advisories are grouped by version no. IIS has been through more versions that IIS so the vulnerabilities are more spread out.

Given that Apache 1.x is still being developed (and is more widely used) I think we can regard that as a product in itself. Compare that against the IIS 4 through to 6 and you get 12 for Apache against 14 for IIS. Furthermore all the IIS ones are remotely exploitable.

So far in 2005 there has been one advisory each for Apache 1.3 and IIS 6. There have been 4 for Apache 2 (the least widely used of the three), which is presumably because it is less mature than the other two. Each of them has one unpatched vulnerability.

IIS did do better than Apache in 2003 to 2004 in terms of the number of vulnerabilities. However if you look at the criticality of vulnerabilities IIS 5 had two "highly critical" vulnerabilities and one "extremely critical", while Apache 1.3 and Apache 2.0 had one "highly critical" each.

Re:There's a tiny hole the size of an iceburg in y

[Bert64]

Bear in mind also, that beta versions of apache are publicly available for people to find bugs in, whereas all the security holes which get removed from beta versions of iis are kept secret.

Re:There's a tiny hole the size of an iceburg in y

[cloudmaster]

I still get hits from Code Red / etc infected IIS machines, years after the patch was very widely announced. Yet, possibly infectable machines make up less than 1/5 of the Internet...