Firefox Moving On From SSL 2.0

Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."

Re:Online banking

[AKAImBatman]

In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

Isn't a big deal...

[GoNINzo]

You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.

You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh

Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

Re:Online banking

[bill_mcgonigle]

How will this affect the end user? Will it break the online banking webs?

No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

Have been surfing with SSL 2.0 disabled for years

[swimgeek]

At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

Look out for your interests ...

Here's how you can make sure the sites you're interested in will still work after the upgrade.

The link posted in that site won't display the problem -- visit the wiki to display the problem (https://register.btinternet.com/ is a current offender).

Re:Don't remove it - just disable it.

[Spy+Hunter]

That *is* what they're going to do.

Re:That's nice and all

wget and ftp are your friends

Re:Online banking

[Tony+Hoyle]

Co operative bank in the UK were SSLv2 only until only recently (~9 months ago IIRC), when they replaced their entire online site with a new one.

When I queried it they said it was because their version of java didn't support v3.

I change banks.

Re:Disable It

[DJCater]

I can confirm that there are at least 100 sites out there that use SSL 2.0 only.

A few examples follow (turn off SSL 2 to see the problems):

https://secure.muttluks.com./
https://www.wilmerhalealumni.com./
https://www.burinka.cz./

Re:Online banking

Tools -> Options -> Advanced -> Security

Uncheck SSL 2.0

Test away.

Re:Online banking

[dolphinling]

Go to about:config, right click and make a new boolean, name it wallet.crypto.autocompleteoverride, and set its value to 1 (or true).

The banks don't let it be the default, or even have it be a normal preference, but it's okay to have it be hidden like that.

Re:why remove it?

[Anders]

by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

The problem is that SSL 2.0 servers will hang on a 3.0 handshake. So the 2.0 handshake is tried first.

Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.