Reducing Attack Surface

Some of you may remember my campaign to wipe SSL2-only sites off the face of the net. This was preparatory to turning off the old and insecure SSL 2 protocol in Firefox 2.

The first fruits of this attack surface reduction are now apparent – Firefox 2.0.0.2 and 1.5.0.10 both contain a fix to an arbitrary code execution buffer overflow in the SSL 2 code in NSS (security advisory). But in their normal configurations, Firefox 2 is immune to this attack because SSL 2 is turned off, whereas Firefox 1.5 is not.

So why are we taking the fix in Firefox 2 anyway? Partly because, dveditz tells me, some short-sighted webmasters, instead of upgrading their sites, have been telling their customers to re-enable SSL 2 (presumably by editing about:config!). Those webmasters have directly placed their users at unnecessary risk, which is IMO shameful.

4 thoughts on “Reducing Attack Surface

  1. Gerv, I haven’t had the occasion to discuss about that, but in my experience until now the disabling of all the weaker encryption algorythm, including 56 bits, has been more annoying than the disabling of SSLv2.

    There seem to be a number of sites left that still use 56 bits, but what’s more IE 7 has still 56 bits enabled, so you can’t tell to those affected “That’s the fault of the site, try with another recent browser like IE 7 and you’ll see it won’t work either”.

    I think the best option would have been to only disable 40 bit, and to display the weak encryption warning to 56 bits sites (BTW in 1.5 that warning is only displayed for 40 bits sites, nothing’s displayed for 56 sites).

    I think even if 56 bits is never back by default, it would be good to have that warning for those who manually turn it on (and also for SSLv2 ?).

  2. > dveditz tells me, some short-sighted webmasters, instead of upgrading
    > their sites, have been telling their customers to re-enable SSL 2
    > (presumably by editing about:config!).

    This is a major victory. Five years ago they would have just said, “Mozilla doesn’t work right, you have to use Internet Explorer”. Only through a great deal of effort has the point been reached where they are willing to go to the effort to tell the users how to misconfigure Firefox so it will work “properly” with their poorly maintained sites.