Slashdot Mirror
Firefox Moving On From SSL 2.0
Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."
Why remove - why not just disable, and make it an entry in a config file to re-enable it? I'm all for removing any software that is insecure, but this might cause trouble for users trying to access sites. It's all about choice, people.
Get your own free personal location tracker
SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.
Good point. Hopefully they can catch the morons running TCP/IP and HTTP as well, those idiots.
Ooo! You're right! We better tell people to stop using RSA and HTTP immediately!
:-)
Be careful about such sweeping statements, please. They're more often wrong that right. And I know of quite a few people who are happy that RSA is finally out of patent protection.
Javascript + Nintendo DSi = DSiCade
If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.
RSA was designed in 1977.
Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.
Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.
Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.
Perfecting Discordia
www.stevenvansickle.com
Let me put it this way: It should have been replaced due to its age in relation to the maturity of the newer versions available. Especially when compared with the insecurity of the old version vs. the proven security of the new version.
Happy?
Javascript + Nintendo DSi = DSiCade
> The problem with Mozilla is that they're so swamped with bugs that some
> developers at least seem to have stopped caring about *any* bugs at all
> whatsoever anymore - to the point where they will not only not fix them,
> but actively try to prevent others from fixing them. Give bug 18574 a
> look some time, for example...
If this bug is typical of the sort of thing you're complaining about, go soak your head. If it were me, I'd have closed that bug as NOTABUG aeons ago. There are an infinite number of bizarroid image formats out there that, for one reason or another (in some cases good reasons, in some cases not, but that is neither here nor there) have not become important or common on the web. MNG is an ideal example and practically a case study in irrelevancy; it has been languishing in irrelevancy for years and shows absolutely ZERO signs of EVER breaking out of that and gaining any significant mindshare or import. The component owner is absolutely right to exclude this sort of nonsense. Mozilla is *not* primarily an image viewer; it is primarily a web browser, so the image formats it should support are ones that are *used on the web*, not every single obscure image format someone thinks is cool. (And that's quite aside from the fact that the main selling point of MNG is that it supports animation, something right-thinking people have been wanting to rid the web of since some misguided cretinous loser decided to introduce looping animated GIFs in Netscape 2.0; the only thing worse than animations on the web was the <blink> tag, may it rest in pieces.)
You speak of preventing bugs from being fixed, but if this is what you're talking about, you should speak of preventing irrelevant features that aren't even vaguely web-related from being needlessly introduced into a web browser.
Cut that out, or I will ship you to Norilsk in a box.
Of course, now that non-IE browsers are used three times as much as then, the extra profit should be three times greater and probably now outweighs the cost. Making the site compliant with non-IE browsers now will probably only cost more than it would have to support them to begin with, and the profit the site could have been making all this time from users of those browsers is now lost. It would have been more profitable to support non-IE browsers from the start, rather than reverse the decision to support IE.
What a fool believes, he sees, no wise man has the power to reason away.
- Keep on supporting them forever.
- Stop supporting them and force them to upgrade.
#2 is usually the right thing to do. It's especially right in this case. Every single line of code that processes remote user input (ie, every line of SSL and any other web server code) could potentially contain a security vulnerability. Developers are not actively working on this antique code so bugs will be left there, perhaps forever. If you're looking for holes, abandoned code is a good place to look. This is similar to the Linux vulnerability not long ago where there was some obscure bug in the processing of a.out files that let binaries escalate. Well, we don't use a.out format anymore. We use ELF format and have for years, so no one was paying attention to that antique code. It should have been removed from the kernel, but it wasn't.The second issue is that OpenSSL is maintained by volunteers. I'd rather have them working to make a small set of features perfect, instead of wasting time on dead code that almost no one is using. Would you rather have the GCC crew working on improving Java or Fortran support?