Firefox Moving On From SSL 2.0

← Back to Stories (view on slashdot.org)

Firefox Moving On From SSL 2.0

Posted by Zonk on Tuesday September 6, 2005 @07:55AM from the we-must-part-ways dept.

Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."

8 of 131 comments (clear)

Min score:

Reason:

Sort:

Re:Online banking by AKAImBatman · 2005-09-06 07:59 · Score: 4, Informative

In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

--
Javascript + Nintendo DSi = DSiCade
Isn't a big deal... by GoNINzo · 2005-09-06 08:12 · Score: 4, Informative

You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.
You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh
Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

--
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
Re:Online banking by bill_mcgonigle · 2005-09-06 08:15 · Score: 5, Informative

How will this affect the end user? Will it break the online banking webs?

No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Have been surfing with SSL 2.0 disabled for years by swimgeek · 2005-09-06 08:18 · Score: 4, Informative

At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

--
I would like to change the world,
but they won't tell me the source code.
Re:Don't remove it - just disable it. by Spy+Hunter · 2005-09-06 08:27 · Score: 5, Informative

That *is* what they're going to do.

--
main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
Re:Online banking by Tony+Hoyle · 2005-09-06 08:42 · Score: 4, Informative

Co operative bank in the UK were SSLv2 only until only recently (~9 months ago IIRC), when they replaced their entire online site with a new one.

When I queried it they said it was because their version of java didn't support v3.

I change banks.
Re:Disable It by DJCater · 2005-09-06 08:51 · Score: 4, Informative

I can confirm that there are at least 100 sites out there that use SSL 2.0 only.

A few examples follow (turn off SSL 2 to see the problems):

https://secure.muttluks.com./
https://www.wilmerhalealumni.com./
https://www.burinka.cz./

--
Sig Appended to the end of comments you post. 120 chars.
Re:why remove it? by Anders · 2005-09-06 10:28 · Score: 4, Informative

by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost
The problem is that SSL 2.0 servers will hang on a 3.0 handshake. So the 2.0 handshake is tried first.
Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.