Firefox Moving On From SSL 2.0

Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."

Online banking

[Saiyine]

How will this affect the end user? Will it break the online banking webs?

--
Superb hosting 4800MB Storage, 120GB bandwidth, $7,95.
Kunowalls!!! Random sexy wallpapers (NSFW!).

Re:Online banking

[AKAImBatman]

In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

Re:Online banking

[ergo98]

So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

No, it sould have been replaced due to its insecurity. Period.

The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out, burning themselves when it is vetted and found to have dozens of weaknesses. You original message clearly put all of the emphasis on the age factor as if we all need to carbon date all of the technologies we use to determine worthiness.

Re:Online banking

[Iriel]

Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.

Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.

Re:Online banking

[bill_mcgonigle]

How will this affect the end user? Will it break the online banking webs?

No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

Re:Online banking

[Tony+Hoyle]

Co operative bank in the UK were SSLv2 only until only recently (~9 months ago IIRC), when they replaced their entire online site with a new one.

When I queried it they said it was because their version of java didn't support v3.

I change banks.

Oh the heartbreak

[infonography]

All the good times we have shared with SSL 2.0 now they will be gone. SSL 2.0 will locked in it's room sobbing and won't come out for a week. Well Firefox, I hope your satisfied, go on! Go off with your new Friends, see if SSL 2.0 cares.

Oh and SSL 2.0 want's it's ring back, otherwise there will be a messy lawsuit.

Re:Good

[AKAImBatman]

Ooo! You're right! We better tell people to stop using RSA and HTTP immediately!

Be careful about such sweeping statements, please. They're more often wrong that right. And I know of quite a few people who are happy that RSA is finally out of patent protection. :-)

Re:Good

[ergo98]

If this technology is 11 years old, then I don't think anyone would like to use it today. Especially if it's encryption standard.

RSA was designed in 1977.

Age means absolutely nothing (for any technology), and instead any calls for replacement need to detail exactly what the weaknesses are and how they've been resolved in newer variants.

Supporting the latest

[LegendOfLink]

What always amazes me about the Mozilla Foundation is the push to support the newest and latest.

Now everybody might be thinking this is good for security and all; but I like it because of other reasons: namely because it allows to me exude tech eliteness amongst normal Windows users. Yep, I'm serious. I'm an IT admin, and people will tell me, "Dude, how do I stop spyware?" What do I say?

I preach Firefoxism and nobody can argue back. What can they say? Um, IE has really awesome, um...Active-something controls...which causes the spyware in my computer to make my machine inoperable...um...yeah. It's great. And no matter what Microsoft puts out, it'll always be one step behind! Thanks Mozilla!

Security

[halltk1983]

Hrm... wonder how long it take Microsoft to come out with a statement saying FF is becoming less secure, as they are taking out security functions.

Isn't a big deal...

[GoNINzo]

You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.

You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh

Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

Positive

[Red+Flayer]

Good move by Mozilla.

At the very least, this has prompted more attention to the fact that SSL 2.0 is not so secure.

Even if some sites continue to use it, it is never a bad idea to bring attention to a flawed security system when a fix is easily available.

Of course, some of us now might have to have two legacy browsers installed in order to use all the sites we want to (IE & an older FF) -- unless SSL 2.0 is reversibly disabled.

Have been surfing with SSL 2.0 disabled for years

[swimgeek]

At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

Re:Don't remove it - just disable it.

[Spy+Hunter]

That *is* what they're going to do.

Re:Disable It

[DJCater]

I can confirm that there are at least 100 sites out there that use SSL 2.0 only.

A few examples follow (turn off SSL 2 to see the problems):

https://secure.muttluks.com./
https://www.wilmerhalealumni.com./
https://www.burinka.cz./

Re:why remove it?

[Anders]

by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

The problem is that SSL 2.0 servers will hang on a 3.0 handshake. So the 2.0 handshake is tried first.

Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.