Quick SSL Version 2 Server Survey

For a number of reasons, it would be useful to know if any secure sites on the web today support SSL v2 only, and not SSL v3. SSL v2 is an older version of the protocol with known security issues, such as a susceptibility to Man In the Middle attacks. However, currently all major browsers lead with an SSL 2 Hello because the connection hangs on SSL 2-only servers if you lead with an SSL 3 Hello.

We believe the number of SSL v2-only servers is now quite small, but more concrete information is needed before it can be turned off. So I’m issuing a call to Firefox developers and QA to please do the following:

  • Uncheck “SSL 2.0” in the Advanced Preferences.
  • Visit this link – you should get a (wonderfully clear) error message.
  • Continue browsing normally.
  • If you see the error on another site, add the URL here.

If you don’t hit any problems, feel free to leave it turned off permanently. If you hit a site you want to visit which needs it, you can of course enable it temporarily after reporting the site URL. For bonus points, do a Google search for secure sites and test them all.

Many thanks :-)

14 thoughts on “Quick SSL Version 2 Server Survey

  1. If you’ve not already tried, you might want to ask the people at netcraft.com if they have any figures on this. They do a monthly survey of a large number of SSL servers and may be able to get this information out of their logs.

  2. Hm, if it is possible to show such a wonderfully clear error message: Wouldn’t it be possible to connect like we do now with SSL2 deactivated and if Mozilla/Firefox(TM…) detects SSL2 it displays a warning (not necessarily as a dialog) and then gives the user the possibility to use SSL2 nonetheless? I fear that this would break lots of intra/extranet-applications if turned off completely.

  3. A good plan. I’ve turned off SSL 2 and haven’t yet had any problems. Here’s hoping we can turn it off for good soon!

    Hmm, just read tr’s comment. Why not send SSL 3 Hello first, then fallback to SSL 2 if it fails?

  4. DJC,
    Check the original post – “the connection hangs on SSL 2-only servers if you lead with an SSL 3 Hello.” – so leading with SSL 3 would be a “bad thing”(tm) if there are any SSL 2 servers still lurking out there.