SSL2 Must Die: Help Wanted

We’ve been working on making it possible to turn off SSL version 2 (an older, more insecure version of the SSL protocol) in Firefox. We’ve already had one big success, with the number of SSL2-only sites dropping from around 10,000 to around 2,000 after a large ISP reconfigured their servers. But there are no more big wins.

I’ve obtained a list of the most popular sites which are SSL2-only. I am looking for volunteers to help with the task of checking that the list is correct, grouping it by company, ISP and netblock, and getting in touch with the relevant admins to ask them to fix the configuration of their servers. Please email me if you can spare a few hours for this.

33 thoughts on “SSL2 Must Die: Help Wanted

  1. I’ve had SSL2 disabled since your last blog post, and I haven’t had a single problem! Quite promising seeing as I’m on the Internet for at least 5 hours per day.

  2. Just a note. I just checked on my browser and it’s disabled by default. Although I got mine from the gentoo package system. Mabye Mozilla still ships it enabled.

  3. I’ve testing with the link you provided () and the others I found on your previous post, but I seem not be able to switch off SSL2 support anymore !

    Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050831 Firefox/1.0+

  4. n/a, what would that accomplish? We want to get web sites to move away for these old protocols, not give them a reason to stay complacent.

  5. I’d prefer if Firefox popped up a warning if the site only supported SSL2 on the lines of “This site uses an older, less secure connection. Any data you submit may be at risk of being read by third parties. Do you wish to continue? (Yes/No)” . That might encourage more sysadmins to switch over, especially if all browser makers adopted this approach.

  6. but as there are only a few sites left that use it surely it’s easier to try and make them all move onto SSL3

    Once we’ve got enough people to drop it will it simply be turned off or removed completely?

  7. “I’d prefer if Firefox popped up a warning if the site only supported SSL2 on the lines of “This site uses an older, less secure connection. Any data you submit may be at risk of being read by third parties. Do you wish to continue? (Yes/No)” . That might encourage more sysadmins to switch over, especially if all browser makers adopted this approach.”

    And you�d have a lawsuit going in no-time :). They would say that Firefox discriminates against their sites.

    Also, I think the problem was that it is not easy to detect that SSL3 is not supported (if it were, SSL2 could simply be used as a fallback and there would be no problem). So if you operate on a blacklist, you can�t first check whether it is still a problem, meaning that even after they fix their sites, users would still be given the warning.

    This gives them even less incentive to fix the problem, and indeed, makes Firefox discriminate against their sites.

    ~Grauw

  8. Firefox (actually, any non-text browser I’ve used) does the exact same thing when a user submits form data over a non secure (http) connection. It’s usually turned off after the first warning so you don’t see it much. Now SSL 2 is more secure than a plain connection; however, there’s a relevant difference. With no secure connection, the users aren’t told that their data is secure at all. There is the popup above which is quite explicite that the data is not. However, with a secure connection, the users are told that their data is secure (the yellow address bar, the ubiquitous paddlelock) and none of them are going to have the know how to realise that it might not be as secure as they are made to believe.

    Why would it be a problem if firefox gives a warning about something. When ever you go download an extention I get warning messages and such. There’s nothing amazing about it, it’s just good security practice when something is happening that might not be what the user expects.

  9. @Laurens Holst:

    > And you�d have a lawsuit going in no-time :). They would say that Firefox discriminates against their sites.

    Nonsense. And this is legitimate discrimination, a security issue. Besides, browsers already show a warning when the certificate’s subject CN doesn’t match the URL domain.

  10. Gerv,

    Can you explain why it is a good idea to disable support for SSL v2. It’s an insecure protocol, but so is plaintext HTTP. What do we accomplish by disabling SSL v2? Why is disabling SSL v2 better than treating it as insecure in our UI?

  11. Darin: The choices are either
    * Make a small number of sites (2,000 at the moment) fall back from SSL2 to clear HTTP or fail, or;
    * Make a much larger number of sites (those that support both SSL2 and SSL3) fall back from SSL3 to SSL2.

    It is not possible to use SSL3 if available, but if not use SSL2

  12. “It is not possible to use SSL3 if available, but if not use SSL2″

    Is this true? On the last entry on this topic Gerv said explicitly that Firefox will show a “clear worded” message if you turn SSL2 off and visit such a site. If such a warning is possible I can’t see why a fallback wouldn’t be possible.

  13. For what it’s worth, I have turned off ssl2 since I started using Mozilla in the pre-1.0 days and I never had any problems because of it.

  14. Darin: we could do that instead, sure. The point is, we want to stop displaying the connections the same as SSL3. And to minimise disruption, we’d like to make an effort to tell people to upgrade their servers first.

  15. tr, as I understand it, we can pop-up a SSL2 notice after turning off SSL2 cuz we know we can’t connect via that method anymore. We can’t do so now cuz if you use an SSL3 handshake, an SSL2-only server would cause the connection to hang, forcing current browsers to connect via SSL2 even with SSL3-enabled servers.

  16. Turned out that my school was using SSL2, but a quick word to the other admins and it was resolved on the same day. I intend to keep this on to see if there are any other local sites that might require some reconfiguration.

  17. Kein SSL im Firefox

    Naja, fast zumindest. Heise und Golem berichten heute, dass es in den zuk�nftigen Versionen des Firefox keine Unterst�tzung f�r SSL 2.0 geben wird. Diese Version wurde von einem Entwickler bei Netscape ausgedacht und �ber die Zeit entdeckte man hier

  18. SSL v2 Must Die – Notice of Extinction to be issued

    A Notice of Extinction for prehistoric SSL v2 web servers is being typed up as we speak. This dinosaur should have been retired net-centuries ago, and it falls to Mozilla to clean up. In your browser, turn off SSL v2…

  19. Why the big rush to remove it? Just disable it by default, then if someone really needs to connect to an SSL2 site they will have to manually turn it back on.

  20. What’s new in the SSL/TLS engine of Opera 9?

    In Opera 9 Beta there are a lot of changes, as one expects from a major product release. Some of the changes (e.g. UI updates) are more apparent than other changes. Some of the major, but less obvious, changes have been done …

  21. Opera talks softly about user security

    Opera talks about security features in Opera 9. The good parts – they have totally rewritten their protocol engine, and: 3. We have disabled SSL v2 and the 40 and 56 bit encryption methods supported by SSL and TLS. The somewhat silly part, they’ve adde…

  22. DNS Rebinding, and the drumroll of SHAME for MICROSOFT and APACHE

    Tonight, we have bad news and worse news. The bad news is that the node is yet again the scene of imminent collapse of the Internet as we know it. The worse news is that the fix that could have fixed it … is still not deployed. The no-news is that we…