We've been working on making it possible to turn off SSL version 2 (an older, more insecure version of the SSL protocol) in Firefox. We've already had one big success, with the number of SSL2-only sites dropping from around 10,000 to around 2,000 after a large ISP reconfigured their servers. But there are no more big wins.
I've obtained a list of the most popular sites which are SSL2-only. I am looking for volunteers to help with the task of checking that the list is correct, grouping it by company, ISP and netblock, and getting in touch with the relevant admins to ask them to fix the configuration of their servers. Please email me if you can spare a few hours for this.
Posted by gerv at September 1, 2005 1:01 PMI've had SSL2 disabled since your last blog post, and I haven't had a single problem! Quite promising seeing as I'm on the Internet for at least 5 hours per day.
Just a note. I just checked on my browser and it's disabled by default. Although I got mine from the gentoo package system. Mabye Mozilla still ships it enabled.
Posted by: Alan Trick at September 1, 2005 3:07 PMI've testing with the link you provided () and the others I found on your previous post, but I seem not be able to switch off SSL2 support anymore !
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050831 Firefox/1.0+
Posted by: jhermans at September 1, 2005 3:29 PMThat was https://webmail.komtel.net/horde/imp/
Posted by: jhermans at September 1, 2005 3:30 PMMozilla should hard-code a compressed list of enabled SSL2 sites and blacklist any others. :)
Posted by: n/a at September 1, 2005 4:32 PMn/a, what would that accomplish? We want to get web sites to move away for these old protocols, not give them a reason to stay complacent.
Posted by: Alan Trick at September 1, 2005 5:18 PMI'd prefer if Firefox popped up a warning if the site only supported SSL2 on the lines of "This site uses an older, less secure connection. Any data you submit may be at risk of being read by third parties. Do you wish to continue? (Yes/No)" . That might encourage more sysadmins to switch over, especially if all browser makers adopted this approach.
Posted by: Neil T. at September 1, 2005 5:20 PMbut as there are only a few sites left that use it surely it's easier to try and make them all move onto SSL3
Once we've got enough people to drop it will it simply be turned off or removed completely?
Just wondering, is there a list of web server versions that still use SSL2?
Posted by: ant at September 1, 2005 8:15 PM"I'd prefer if Firefox popped up a warning if the site only supported SSL2 on the lines of "This site uses an older, less secure connection. Any data you submit may be at risk of being read by third parties. Do you wish to continue? (Yes/No)" . That might encourage more sysadmins to switch over, especially if all browser makers adopted this approach."
And you’d have a lawsuit going in no-time :). They would say that Firefox discriminates against their sites.
Also, I think the problem was that it is not easy to detect that SSL3 is not supported (if it were, SSL2 could simply be used as a fallback and there would be no problem). So if you operate on a blacklist, you can’t first check whether it is still a problem, meaning that even after they fix their sites, users would still be given the warning.
This gives them even less incentive to fix the problem, and indeed, makes Firefox discriminate against their sites.
~Grauw
Firefox (actually, any non-text browser I've used) does the exact same thing when a user submits form data over a non secure (http) connection. It's usually turned off after the first warning so you don't see it much. Now SSL 2 is more secure than a plain connection; however, there's a relevant difference. With no secure connection, the users aren't told that their data is secure at all. There is the popup above which is quite explicite that the data is not. However, with a secure connection, the users are told that their data is secure (the yellow address bar, the ubiquitous paddlelock) and none of them are going to have the know how to realise that it might not be as secure as they are made to believe.
Why would it be a problem if firefox gives a warning about something. When ever you go download an extention I get warning messages and such. There's nothing amazing about it, it's just good security practice when something is happening that might not be what the user expects.
Posted by: Alan Trick at September 2, 2005 10:01 AM@Laurens Holst:
> And you’d have a lawsuit going in no-time :). They would say that Firefox discriminates against their sites.
Nonsense. And this is legitimate discrimination, a security issue. Besides, browsers already show a warning when the certificate's subject CN doesn't match the URL domain.
I think Firefox should still allow the use of SSL 2 but not show it as a secure connection.
Posted by: Peter at September 2, 2005 11:34 PMGerv,
Can you explain why it is a good idea to disable support for SSL v2. It's an insecure protocol, but so is plaintext HTTP. What do we accomplish by disabling SSL v2? Why is disabling SSL v2 better than treating it as insecure in our UI?
Posted by: Darin Fisher at September 2, 2005 11:59 PMDarin: The choices are either
* Make a small number of sites (2,000 at the moment) fall back from SSL2 to clear HTTP or fail, or;
* Make a much larger number of sites (those that support both SSL2 and SSL3) fall back from SSL3 to SSL2.
It is not possible to use SSL3 if available, but if not use SSL2
Posted by: Ian Thomas at September 3, 2005 10:29 AM"It is not possible to use SSL3 if available, but if not use SSL2"
Is this true? On the last entry on this topic Gerv said explicitly that Firefox will show a "clear worded" message if you turn SSL2 off and visit such a site. If such a warning is possible I can't see why a fallback wouldn't be possible.
Posted by: tr at September 3, 2005 3:15 PMFor what it's worth, I have turned off ssl2 since I started using Mozilla in the pre-1.0 days and I never had any problems because of it.
Posted by: Kelly at September 3, 2005 8:48 PMDarin: we could do that instead, sure. The point is, we want to stop displaying the connections the same as SSL3. And to minimise disruption, we'd like to make an effort to tell people to upgrade their servers first.
Posted by: Gerv at September 4, 2005 12:05 AMtr, as I understand it, we can pop-up a SSL2 notice after turning off SSL2 cuz we know we can't connect via that method anymore. We can't do so now cuz if you use an SSL3 handshake, an SSL2-only server would cause the connection to hang, forcing current browsers to connect via SSL2 even with SSL3-enabled servers.
Posted by: Tsee at September 4, 2005 6:25 PMTurned out that my school was using SSL2, but a quick word to the other admins and it was resolved on the same day. I intend to keep this on to see if there are any other local sites that might require some reconfiguration.
this page : http://informationweek.com/story/showArticle.jhtml?articleID=170700325
shows a warning about ssl2 on 213.133.230.66
should i fill a tech evangelism bug ?
Posted by: mathieu at September 5, 2005 7:40 PMPerhaps you can work with the people at netcraft, they poll a lot of sites for what kind of server they run and do stats on ssl too.
Posted by: me at September 5, 2005 8:25 PMmathieu: no thanks, we've got it all in hand :-)
Posted by: Gerv at September 6, 2005 9:30 AMWhy the big rush to remove it? Just disable it by default, then if someone really needs to connect to an SSL2 site they will have to manually turn it back on.
Posted by: Simple at October 12, 2005 3:20 AMThis is an old post, I know, IE7 is planning on turning off SSL2 by default.
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
Does anyone knows how to disable SSL2 support on a IIS6 web server?
Posted by: Ray Yan at April 3, 2007 2:23 AM