SSLv2 insecure - should be disabled by default

Eric Dorland eric@debian.org
Sun, 10 Apr 2005 15:28:46 -0400


--0z5c7mBtSy1wdr4F
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

* Lo?c Minier (lool@dooz.org) wrote:
>         Hi,
>=20
>  Galeon has specifically SSLv2 disabled in it's defaults
>  (security.enable_ssl2 is set to false in default-prefs.js).
>=20
>  I checked Firefox, Mozilla, and Epiphany: they all have this setting
>  set to true by default.
>=20
>  Upstream told me SSLv2 is quite insecure and shouldn't be in use in
>  current implementations.
>=20
>  I've searched for a summary of SSLv2 flaws, the best I could come up
>  with is at:
>     <http://www.eucybervote.org/Reports/MSI-WP2-D7V1-V1.0-02.htm>
>  The security flaws are really below current standards:
>  - weak MAC,
>  - no protection against man-in-the-middle attacks,
>  - same key is used for authentification and encryption,
>  - no protection against TCP connection closing.
>=20
>  I think we shouldn't ship browsers with SSLv2 enabled transparently by
>  default, and I suggest other browsers move to the same configuration.
>=20
>  [ Of course, it would be nicer if Mozilla-based browsers would source a
>  common config file. ]
>=20
>  This is bug #303849, where you can see that networksolutions.com uses
>  SSLv2!

I would probably agree with this assessment. I had not realized SSLv2
had so many inherent weaknesses. As an alternative, we should probably
disable all 40-bit variants of the ssl protocols, since 40-bit
encryption doesn't provide a realistic amount of security these
days. I don't know how many sites use 40-bit anymore though. If it's
still a lot, that could be an unpopular move.=20

--=20
Eric Dorland <eric.dorland@mail.mcgill.ca>
ICQ: #61138586, Jabber: hooty@jabber.com
1024D/16D970C6 097C 4861 9934 27A0 8E1C  2B0A 61E9 8ECF 16D9 70C6

-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS d- s++: a-- C+++ UL+++ P++ L++ E++ W++ N+ o K- w+=20
O? M++ V-- PS+ PE Y+ PGP++ t++ 5++ X+ R tv++ b+++ DI+ D+=20
G e h! r- y+=20
------END GEEK CODE BLOCK------

--0z5c7mBtSy1wdr4F
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCWX5uYemOzxbZcMYRAo4rAKCtCpG1Eq5KErSXth9eZjl0WSceqgCdF2j2
jFtiq2RrJbecIfrtdoXH+/c=
=w7Dz
-----END PGP SIGNATURE-----

--0z5c7mBtSy1wdr4F--