Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox Moving On From SSL 2.0

Posted by Zonk on from the we-must-part-ways dept.

Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."

37 of 131 comments (clear)

  1. Online banking by Saiyine · · Score: 4, Interesting


    How will this affect the end user? Will it break the online banking webs?

    --
    Superb hosting 4800MB Storage, 120GB bandwidth, $7,95.
    Kunowalls!!! Random sexy wallpapers (NSFW!).

    --
    Hosting 20G hd, 1Tb bw! ssh $7.95
    1. Re:Online banking by daviqh · · Score: 2, Funny

      It shouldn't and if it does, than the Mozilla Corperation will urge that they use SSL 3.0.

      --
      Microsoft is like...no, it's much worse.
    2. Re:Online banking by AKAImBatman · · Score: 4, Informative

      In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

      --
      Javascript + Nintendo DSi = DSiCade
    3. Re:Online banking by elwin_windleaf · · Score: 2, Insightful

      I'm not sure if this is just my knee-jerk reaction from using old technology frequently, but when I hear "remove support" it usually gets associated with bad things in my mind...

    4. Re:Online banking by ergo98 · · Score: 3, Insightful

      SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

      Good point. Hopefully they can catch the morons running TCP/IP and HTTP as well, those idiots.

    5. Re:Online banking by ergo98 · · Score: 5, Interesting

      So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

      No, it sould have been replaced due to its insecurity. Period.

      The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out, burning themselves when it is vetted and found to have dozens of weaknesses. You original message clearly put all of the emphasis on the age factor as if we all need to carbon date all of the technologies we use to determine worthiness.

    6. Re:Online banking by Iriel · · Score: 4, Insightful

      Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.

      Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.

      --
      Perfecting Discordia
      www.stevenvansickle.com
    7. Re:Online banking by niney · · Score: 2, Insightful

      Mozilla isn't really in a position to be telling banks what to support. The banks will just block them out again if their browser doesn't do what they want. (Yes, I know, you can spoof your user agent string, but not everyone will do this)

      In the past, it's been the other way around, they had to support autocomplete=off (an IE tag) due to insistence from banks: (bugzilla link)

    8. Re:Online banking by AKAImBatman · · Score: 3, Insightful

      Let me put it this way: It should have been replaced due to its age in relation to the maturity of the newer versions available. Especially when compared with the insecurity of the old version vs. the proven security of the new version.

      Happy?

      --
      Javascript + Nintendo DSi = DSiCade
    9. Re:Online banking by bill_mcgonigle · · Score: 5, Informative

      How will this affect the end user? Will it break the online banking webs?

      No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    10. Re:Online banking by Tony+Hoyle · · Score: 4, Informative

      Co operative bank in the UK were SSLv2 only until only recently (~9 months ago IIRC), when they replaced their entire online site with a new one.

      When I queried it they said it was because their version of java didn't support v3.

      I change banks.

    11. Re:Online banking by AdamWeeden · · Score: 2, Insightful

      I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE

      In some cases it isn't a decision of laziness, but of business. My former employer (a web devlopment firm) determined the webshare that non IE browsers got for one of our clients. It was only 5%. They then determined how much business that client did per year and figured out how many extra hours (and thus extra cost to the client) it would cost to make the features we were developing acceptable by alternative browsers (FF/Netscape/Mozilla/Opera/etc). The cost outweighed the extra profit, so we developed IE centric solutions.

      Keep in mind I say this as someone who uses Firefox almost exclusively.

      --
      I was quoted out of context in my autobiography...
    12. Re:Online banking by Cally · · Score: 3, Funny
      SSL 2.0 is so old that it should have gone the way of the Dodo bird.
      The game was up when a Bond villain, discovering that it's trivial to hack some top secret installation, says contemptuously "*pffft* , they're using SSL - version two." And that was in 1997.
      --
      "None are more hopelessly enslaved than those who falsely believe they are free." -- Goethe
    13. Re:Online banking by bunratty · · Score: 3, Insightful

      Of course, now that non-IE browsers are used three times as much as then, the extra profit should be three times greater and probably now outweighs the cost. Making the site compliant with non-IE browsers now will probably only cost more than it would have to support them to begin with, and the profit the site could have been making all this time from users of those browsers is now lost. It would have been more profitable to support non-IE browsers from the start, rather than reverse the decision to support IE.

      --
      What a fool believes, he sees, no wise man has the power to reason away.
    14. Re:Online banking by dolphinling · · Score: 3, Informative

      Go to about:config, right click and make a new boolean, name it wallet.crypto.autocompleteoverride, and set its value to 1 (or true).

      The banks don't let it be the default, or even have it be a normal preference, but it's okay to have it be hidden like that.

      --
      There are 11 types of people in the world: those who can count in binary, and those who can't.
  2. Don't remove it - just disable it. by caluml · · Score: 3, Insightful

    Why remove - why not just disable, and make it an entry in a config file to re-enable it? I'm all for removing any software that is insecure, but this might cause trouble for users trying to access sites. It's all about choice, people.

    --
    Get your own free personal location tracker
    1. Re:Don't remove it - just disable it. by Spy+Hunter · · Score: 5, Informative

      That *is* what they're going to do.

      --
      main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  3. Oh the heartbreak by infonography · · Score: 5, Funny

    All the good times we have shared with SSL 2.0 now they will be gone. SSL 2.0 will locked in it's room sobbing and won't come out for a week. Well Firefox, I hope your satisfied, go on! Go off with your new Friends, see if SSL 2.0 cares.

    Oh and SSL 2.0 want's it's ring back, otherwise there will be a messy lawsuit.

    --
    Sorry about the writing. Robot fingers, you know? Cliff Steele in DOOM PATROL #23
  4. Re:Good by AKAImBatman · · Score: 4, Insightful

    Ooo! You're right! We better tell people to stop using RSA and HTTP immediately!

    Be careful about such sweeping statements, please. They're more often wrong that right. And I know of quite a few people who are happy that RSA is finally out of patent protection. :-)

    --
    Javascript + Nintendo DSi = DSiCade
  5. Re:Good by ergo98 · · Score: 4, Insightful

    If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.

    RSA was designed in 1977.

    Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.

  6. Supporting the latest by LegendOfLink · · Score: 5, Funny

    What always amazes me about the Mozilla Foundation is the push to support the newest and latest.

    Now everybody might be thinking this is good for security and all; but I like it because of other reasons: namely because it allows to me exude tech eliteness amongst normal Windows users. Yep, I'm serious. I'm an IT admin, and people will tell me, "Dude, how do I stop spyware?" What do I say?

    I preach Firefoxism and nobody can argue back. What can they say? Um, IE has really awesome, um...Active-something controls...which causes the spyware in my computer to make my machine inoperable...um...yeah. It's great. And no matter what Microsoft puts out, it'll always be one step behind! Thanks Mozilla!

    --
    IGB: More fun than eating oatmeal!
  7. Security by halltk1983 · · Score: 5, Funny

    Hrm... wonder how long it take Microsoft to come out with a statement saying FF is becoming less secure, as they are taking out security functions.

    --
    Watch for Penguins, they eat Apples and throw rocks at Windows.
  8. Isn't a big deal... by GoNINzo · · Score: 4, Informative
    You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.

    You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh

    Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

    --
    Gonzo Granzeau
    "Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
  9. Positive by Red+Flayer · · Score: 4, Interesting

    Good move by Mozilla.

    At the very least, this has prompted more attention to the fact that SSL 2.0 is not so secure.

    Even if some sites continue to use it, it is never a bad idea to bring attention to a flawed security system when a fix is easily available.

    Of course, some of us now might have to have two legacy browsers installed in order to use all the sites we want to (IE & an older FF) -- unless SSL 2.0 is reversibly disabled.

    --
    "Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
  10. Have been surfing with SSL 2.0 disabled for years by swimgeek · · Score: 4, Informative

    At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

    --
    I would like to change the world,
    but they won't tell me the source code.
  11. Look out for your interests ... by Anonymous Coward · · Score: 2, Informative
    Here's how you can make sure the sites you're interested in will still work after the upgrade.

    The link posted in that site won't display the problem -- visit the wiki to display the problem (https://register.btinternet.com/ is a current offender).

  12. Re:Good by Dachannien · · Score: 2, Insightful

    I've been using POP to fetch my e-mail from the same address for 11 years.

  13. Re:That's nice and all by slavemowgli · · Score: 3, Interesting

    The problem with Mozilla is that they're so swamped with bugs that some developers at least seem to have stopped caring about *any* bugs at all whatsoever anymore - to the point where they will not only not fix them, but actively try to prevent others from fixing them. Give bug 18574 a look some time, for example...

    Unfortunately, there's not really much you can do. Firefox *is* wildly popular, so those at the top of the Mozilla foundation (Asa Dotzler etc.) don't even realise that some things are going wrong - they've stopped listening to the people, just like Microsoft has, after convincing themselves that those who disagree are just a small bunch of disgruntled nay-sayers. Considering Firefox' popularity, that's not a difficult thing to do, but it's still wrong - you should always listen to your users.

    Unfortunately, it seems that Mozilla is heading further in this direction, with the creation of a new for-profit company that's supposed to take over from the non-profit organisation and all that. I fear that this will be used as an excuse to listen to the actual users even less - and I don't doubt that this new incarnation of Netscape (which is what it'll be, essentially) will reward Asa and co with a nice monthly sum for the whole thing, too.

    In the end, what it really boils down to is PR vs. the actual product - if PR (i.e., telling people that your product is good) is more important than actually *making* your product good, everyone loses. The only exception are those at the top of the pyramid who make money that way - but the actual users will lose out, and that's even sadder when you consider that projects with more PR will usually attract more users, too.

    Microsoft (Windows), Mozilla, MySQL - this is what they all have in common. They're all not really all that great at what they're supposed to do, but there's so much PR that they're still successful. And unlike with Windows and MySQL, where you have Linux/*BSD and PostgreSQL as free and better alternatives, there seems to be no real alternative to Mozilla - Opera is payware, Konqueror only runs on Linux/KDE, Safari is for OS X etc. Where is the free, no-crap browser for Windows? There seems to be none.

    --
    quidquid latine dictum sit altum videtur.
  14. Re:Disable It by DJCater · · Score: 4, Informative

    I can confirm that there are at least 100 sites out there that use SSL 2.0 only.

    A few examples follow (turn off SSL 2 to see the problems):

    https://secure.muttluks.com./
    https://www.wilmerhalealumni.com./
    https://www.burinka.cz./

    --
    Sig Appended to the end of comments you post. 120 chars.
  15. Re:Good by DA-MAN · · Score: 2

    I've been using POP to fetch my e-mail from the same address for 11 years.

    Oh, I'm so sorry. . .

    Maybe you should look into IMAP! :)

    --
    Can I get an eye poke?
    Dog House Forum
  16. I would assume... by Kr3m3Puff · · Score: 2, Insightful

    That the desire to remove the technology also makes the job of testing easier, especially when dealing with security related code, I am sure that testing of this is more of annoyance. People expect it to be secure and unexploitable. Then you can focus your development and patches on new code.

    This isn't just about making stuff compatible for the users. Then the developers can focus on MSIE quicky mode rendering instead of SSL 2.0!

    --
    D.O.U.O.S.V.A.V.V.M.
  17. This is news? by KhaZ · · Score: 2, Insightful

    Sorry, maybe I'm missing something:

    But why is it a big deal that they're upgrading?

    I thought this was a news site: not freshmeat or version tracker.

    Is there some other item of importance here that I'm missing?

    --
    - - - -

    KickingDragon

  18. Re:That's nice and all by jonadab · · Score: 3, Insightful

    > The problem with Mozilla is that they're so swamped with bugs that some
    > developers at least seem to have stopped caring about *any* bugs at all
    > whatsoever anymore - to the point where they will not only not fix them,
    > but actively try to prevent others from fixing them. Give bug 18574 a
    > look some time, for example...

    If this bug is typical of the sort of thing you're complaining about, go soak your head. If it were me, I'd have closed that bug as NOTABUG aeons ago. There are an infinite number of bizarroid image formats out there that, for one reason or another (in some cases good reasons, in some cases not, but that is neither here nor there) have not become important or common on the web. MNG is an ideal example and practically a case study in irrelevancy; it has been languishing in irrelevancy for years and shows absolutely ZERO signs of EVER breaking out of that and gaining any significant mindshare or import. The component owner is absolutely right to exclude this sort of nonsense. Mozilla is *not* primarily an image viewer; it is primarily a web browser, so the image formats it should support are ones that are *used on the web*, not every single obscure image format someone thinks is cool. (And that's quite aside from the fact that the main selling point of MNG is that it supports animation, something right-thinking people have been wanting to rid the web of since some misguided cretinous loser decided to introduce looping animated GIFs in Netscape 2.0; the only thing worse than animations on the web was the <blink> tag, may it rest in pieces.)

    You speak of preventing bugs from being fixed, but if this is what you're talking about, you should speak of preventing irrelevant features that aren't even vaguely web-related from being needlessly introduced into a web browser.

    --
    Cut that out, or I will ship you to Norilsk in a box.
  19. Re:That's nice and all by dolphinling · · Score: 2, Insightful

    It's a troll, but I'll bite and see if I can get a free worm.

    This is just wrong. A bit of research (http://weblogs.mozillazine.org/asa/, http://planet.mozilla.org/ shows that the developers, including Asa, routinely listen to users and often ask for comments. And from the point of view of an insider (bugs I've reported: 55), developers respond quickly and helpfully to anyone who isn't wasting their time, and even those who are but do it in a curteous way.

    A few other specific points: the Mozilla Corporation is not for-profit. Nothing about a corporation says it has to be. It merely falls under business laws, making it easier for other businesses to interact with Mozilla.

    And with respect to bug 18574, it's the one about MNG support. To quote a few things from the bug:

    However, MNG inclusion won't even be considered until there is true reason to include it. According to some numbers I believe I saw at libmng or png.org/pub/mng, the number of MNG/JNG images ranges in the hundreds or the low thousands. Period. Worldwide. Ever. Almost all of these images are also set up as testcases, not as practical media on sites.

    Its not something that'll likely change going forward, unless MNG support is really low cost (i.e. not 200-300k). At 50-80k the case becomes stronger, of course. The "if you support it, they will come" argument is weak, since we did support this for three years and the content didn't come.

    --
    There are 11 types of people in the world: those who can count in binary, and those who can't.
  20. Re:why remove it? by Anders · · Score: 4, Informative

    by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

    The problem is that SSL 2.0 servers will hang on a 3.0 handshake. So the 2.0 handshake is tried first.

    Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.

  21. Good by ChiralSoftware · · Score: 3, Insightful
    When you have a situation where 99% of the sites on the net have upgraded, you have two basic options:
    1. Keep on supporting them forever.
    2. Stop supporting them and force them to upgrade.
    #2 is usually the right thing to do. It's especially right in this case. Every single line of code that processes remote user input (ie, every line of SSL and any other web server code) could potentially contain a security vulnerability. Developers are not actively working on this antique code so bugs will be left there, perhaps forever. If you're looking for holes, abandoned code is a good place to look. This is similar to the Linux vulnerability not long ago where there was some obscure bug in the processing of a.out files that let binaries escalate. Well, we don't use a.out format anymore. We use ELF format and have for years, so no one was paying attention to that antique code. It should have been removed from the kernel, but it wasn't.

    The second issue is that OpenSSL is maintained by volunteers. I'd rather have them working to make a small set of features perfect, instead of wasting time on dead code that almost no one is using. Would you rather have the GCC crew working on improving Java or Fortran support?

  22. Re:There's a tiny hole the size of an iceburg in y by ChatHuant · · Score: 2, Funny

    Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

    Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

    So Apache 2 has had 27 Secunia advisories, with 2 still unpatched, and IIS 6 has only had 3, of which one is still unpatched. Seems to support the GP's theory pretty well. Your point?