For a number of reasons, it would be useful to know if any secure sites on the web today support SSL v2 only, and not SSL v3. SSL v2 is an older version of the protocol with known security issues, such as a susceptibility to Man In the Middle attacks. However, currently all major browsers lead with an SSL 2 Hello because the connection hangs on SSL 2-only servers if you lead with an SSL 3 Hello.
We believe the number of SSL v2-only servers is now quite small, but more concrete information is needed before it can be turned off. So I'm issuing a call to Firefox developers and QA to please do the following:
If you don't hit any problems, feel free to leave it turned off permanently. If you hit a site you want to visit which needs it, you can of course enable it temporarily after reporting the site URL. For bonus points, do a Google search for secure sites and test them all.
Many thanks :-)
Posted by gerv at May 16, 2005 10:45 PMIf you've not already tried, you might want to ask the people at netcraft.com if they have any figures on this. They do a monthly survey of a large number of SSL servers and may be able to get this information out of their logs.
Posted by: Ian Thomas (thelem) at May 16, 2005 11:39 PMappositely, a google search for SSL2 turned up at least this site...
Posted by: theodicey at May 16, 2005 11:50 PMHm, if it is possible to show such a wonderfully clear error message: Wouldn't it be possible to connect like we do now with SSL2 deactivated and if Mozilla/Firefox(TM...) detects SSL2 it displays a warning (not necessarily as a dialog) and then gives the user the possibility to use SSL2 nonetheless? I fear that this would break lots of intra/extranet-applications if turned off completely.
Posted by: tr at May 17, 2005 6:53 AMA good plan. I've turned off SSL 2 and haven't yet had any problems. Here's hoping we can turn it off for good soon!
Hmm, just read tr's comment. Why not send SSL 3 Hello first, then fallback to SSL 2 if it fails?
gerv: Check out http://www.securityspace.com/s_survey/sdata/200504/protciph.html, they made some survey how many sites support SSLv3, SSLv2, etc.
Posted by: mcsmurf at May 17, 2005 1:19 PMDJC,
Check the original post - "the connection hangs on SSL 2-only servers if you lead with an SSL 3 Hello." - so leading with SSL 3 would be a "bad thing"(tm) if there are any SSL 2 servers still lurking out there.
Hi,
http://www.networksolutions.com/en_US/manage-it/index.jhtml
Network Solutions was *previously* only SSLv2 aware (see ), it seems they recently fixed it.
Posted by: Loïc Minier at May 17, 2005 2:26 PM(blog munged <...> snipset) http://bugs.debian.org/303849
Posted by: Loïc Minier at May 17, 2005 2:29 PMI have some relatively cheap webspace at 1&1 (Germany's largest webhost), which includes a QuickSSL certificate from geotrust.com. The server appears to use SSL2, at least I can't access it via https when SSL2 is turned off: https://www.umsu.de/. The same happens with other sites at 1&1, e.g. https://www.pro-regenwald.de/.
wo: Interestingly, 1&1's free sll does appear to support v3 (any site at https://sslrelay.com/ ), as does geotrust's own site. It may be worth giving 1&1 a call as it is something that they should upgrade.
Posted by: Ian Thomas (thelem) at May 17, 2005 7:41 PMhttps://bugzilla.mozilla.org/show_bug.cgi?id=76162
tracks these sites
Here's one: http://www.cpucityshop.co.uk/
Posted by: Jonathan Watt at May 20, 2005 11:39 PM