Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 


Forgot your password?
Close
typodupeerror
×
Encryption Security Mozilla The Internet IT

Firefox Moving On From SSL 2.0 131

Posted by Zonk from the we-must-part-ways dept.
Juha-Matti Laurio writes "Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox, reports MozillaZine portal. Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols." From the post: "Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardized version of SSL 3.0 with some differences, was published in 1999."
This discussion has been archived. No new comments can be posted.

Firefox Moving On From SSL 2.0 More

Firefox Moving On From SSL 2.0

Comments Filter:

  • Online banking (Score:4, Interesting)

    by Saiyine ( 689367 ) on Tuesday September 06, 2005 @02:57PM (#13492692) Homepage

    How will this affect the end user? Will it break the online banking webs?

    --
    Superb hosting [dreamhost.com] 4800MB Storage, 120GB bandwidth, $7,95.
    Kunowalls!!! [kunowalls.host.sk] Random sexy wallpapers (NSFW!).
    • It shouldn't and if it does, than the Mozilla Corperation will urge that they use SSL 3.0.

      • Re:Online banking (Score:2, Insightful)

        by niney ( 796319 )
        Mozilla isn't really in a position to be telling banks what to support. The banks will just block them out again if their browser doesn't do what they want. (Yes, I know, you can spoof your user agent string, but not everyone will do this)

        In the past, it's been the other way around, they had to support autocomplete=off (an IE tag) due to insistence from banks: (bugzilla link [mozilla.org])
        • And that damn proprietary attribute (that doesn't seem to be disableable) is used by a few E-Mail providers *cough* in order to piss me off by making me use an easier password rather than a 20+ character one generated by something like KeePass [sf.net].

    • Re:Online banking (Score:5, Informative)

      by AKAImBatman ( 238306 ) * <`akaimbatman' `at' `gmail.com'> on Tuesday September 06, 2005 @02:59PM (#13492718) Homepage Journal
      In theory, it shouldn't break anything. SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

      • Re:Online banking (Score:3, Insightful)

        by ergo98 ( 9391 )
        SSL 2.0 is so old that it should have gone the way of the Dodo bird. The point of removing 2.0 from Firefox is to force an upgrade by anyone who might be lame enough to still be running such old and insecure technology.

        Good point. Hopefully they can catch the morons running TCP/IP and HTTP as well, those idiots.
        • Uh, yeah. Expect that 3.0 has been the recommended replacement for nearly 10 years now. So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

          • Re:Online banking (Score:5, Interesting)

            by ergo98 ( 9391 ) on Tuesday September 06, 2005 @03:11PM (#13492855) Homepage Journal
            So in this case, it SHOULD have been replaced due to its age, not to mention its insecurity.

            No, it sould have been replaced due to its insecurity. Period.

            The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out, burning themselves when it is vetted and found to have dozens of weaknesses. You original message clearly put all of the emphasis on the age factor as if we all need to carbon date all of the technologies we use to determine worthiness.

            • Re:Online banking (Score:4, Insightful)

              by AKAImBatman ( 238306 ) * <`akaimbatman' `at' `gmail.com'> on Tuesday September 06, 2005 @03:14PM (#13492890) Homepage Journal
              Let me put it this way: It should have been replaced due to its age in relation to the maturity of the newer versions available. Especially when compared with the insecurity of the old version vs. the proven security of the new version.

              Happy?

            • The age thing is the same sort of lame distraction that makes crypto-naives rush to whatever newly announced algorithm comes out

              No, the age thing is just practicality, in this case. SSLv2 is old, and so you'd have to be running a really ancient web server to have one that doesn't do v3. How many could there be who haven't upgraded? Well, according to Netcraft, in 1995, when SSLv2 was the current standard for web security, there were around 19,000 web sites. Today there are around 70 million. So, eve

        • Er, what about HTTP/1.1? It's around the same age as SSL 3.0 IIRC, so there's no harm in that.

          And TCP/IP is already trying to be updated (IPv6), but much less successfully as of now.

      • Re:Online banking (Score:5, Insightful)

        by Iriel ( 810009 ) on Tuesday September 06, 2005 @03:13PM (#13492878) Homepage
        Then again, there are some people that still work on standards older than dirt. I work for a company whose site still gets hits from people browsing with Netscape 3.0 Gold.

        Sometimes, I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE, and Firefox would break someone's favorite page as a result. It's the very standards we strive for that leave the masses lagging. I don't know what companies still use SSL2.0 for anything, but I don't doubt the existence of enough to make a developer cringe.

        • Re:Online banking (Score:2, Insightful)

          by AdamWeeden ( 678591 )
          I think one thing that holds Mozilla/Firefox back from wider adoption is the fact that many people are lazy enough to make a site only work in IE

          In some cases it isn't a decision of laziness, but of business. My former employer (a web devlopment firm) determined the webshare that non IE browsers got for one of our clients. It was only 5%. They then determined how much business that client did per year and figured out how many extra hours (and thus extra cost to the client) it would cost to make the fe

          • Re:Online banking (Score:4, Insightful)

            by bunratty ( 545641 ) on Tuesday September 06, 2005 @05:11PM (#13494053)
            Of course, now that non-IE browsers are used three times as much as then, the extra profit should be three times greater and probably now outweighs the cost. Making the site compliant with non-IE browsers now will probably only cost more than it would have to support them to begin with, and the profit the site could have been making all this time from users of those browsers is now lost. It would have been more profitable to support non-IE browsers from the start, rather than reverse the decision to support IE.
          • Written properly, you should be able to make code that is cross-browser from day one without adding extra headaches vs developing specifically for IE.

            You just develop for the subset of HTML that is supported by all the browsers (i.e. IE6/7, Firefox, Mozilla, Opera, Safari) and only write browser specific hacks when there is no way to get it done any other way (e.g. to work around bugs in IE).

            Disclaimer: IANA web developer so I could be off base as to how hard it is to do this in a real world setting. Also,

      • Re:Online banking (Score:4, Funny)

        by Cally ( 10873 ) on Tuesday September 06, 2005 @04:41PM (#13493782) Homepage
        SSL 2.0 is so old that it should have gone the way of the Dodo bird.
        The game was up when a Bond villain, discovering that it's trivial to hack some top secret installation, says contemptuously "*pffft* , they're using SSL - version two." And that was in 1997 [imdb.com].
      • [...] it should have gone the way of the Dodo bird.

        As opposed to the Dodo fish, the Dodo plant, and the Dodo subatomic particle. ;-)
    • I'm not sure if this is just my knee-jerk reaction from using old technology frequently, but when I hear "remove support" it usually gets associated with bad things in my mind...
    • Honestly, no. The laws governing financial institutions and the protection of their customers' financial data should prevent banks from supporting SSL 2.0 or less. I can't think of any bank websites that I've come across that require anything less than a browser with 128-bit SSL encryption. Now I must admit that my memory is a bit rusty on this topic but I believe most browsers started offering 128-bit encryption when they moved to SSL 3.0 (but not on 2.0 certs). IE5 comes to mind.

    • Re:Online banking (Score:5, Informative)

      by bill_mcgonigle ( 4333 ) * on Tuesday September 06, 2005 @03:15PM (#13492903) Homepage Journal
      How will this affect the end user? Will it break the online banking webs?

      No - to be a Visa affiliate (partner, whatever its' called) you can't even accept SSL 2.0 connections.

    • Re:Online banking (Score:1, Informative)

      by Anonymous Coward
      Tools -> Options -> Advanced -> Security

      Uncheck SSL 2.0

      Test away.

  • Don't remove it - just disable it. (Score:3, Insightful)

    by caluml ( 551744 ) <slashdotNO@SPAMspamgoeshere.calum.org> on Tuesday September 06, 2005 @03:00PM (#13492737) Homepage
    Why remove - why not just disable, and make it an entry in a config file to re-enable it? I'm all for removing any software that is insecure, but this might cause trouble for users trying to access sites. It's all about choice, people.

  • Oh the heartbreak (Score:5, Funny)

    by infonography ( 566403 ) on Tuesday September 06, 2005 @03:02PM (#13492766) Homepage
    All the good times we have shared with SSL 2.0 now they will be gone. SSL 2.0 will locked in it's room sobbing and won't come out for a week. Well Firefox, I hope your satisfied, go on! Go off with your new Friends, see if SSL 2.0 cares.

    Oh and SSL 2.0 want's it's ring back, otherwise there will be a messy lawsuit.
  • I'd be very surprised if any sites are still using SSL 2.0
    Seeing a nice yellow "secure" address bar is reassuring for most people (I assume. It's reassuring to me). Using a known bad encryption scheme is almost like fraud, then.
    • It makes us all feel much safer, lets just hope no one writes a script to show the yellow bar when not secure.
    • > Seeing a nice yellow "secure" address bar is reassuring for most people

      Err, no. Yellow is *not* a reassuring color. Blue is a reassuring color. Green, maybe. Yellow is usually associated with warnings and danger. And of course there's the obvious truism that most computer users don't know what SSL is or what the implications are.

  • Supporting the latest (Score:5, Funny)

    by LegendOfLink ( 574790 ) on Tuesday September 06, 2005 @03:08PM (#13492825) Homepage
    What always amazes me about the Mozilla Foundation is the push to support the newest and latest.

    Now everybody might be thinking this is good for security and all; but I like it because of other reasons: namely because it allows to me exude tech eliteness amongst normal Windows users. Yep, I'm serious. I'm an IT admin, and people will tell me, "Dude, how do I stop spyware?" What do I say?

    I preach Firefoxism and nobody can argue back. What can they say? Um, IE has really awesome, um...Active-something controls...which causes the spyware in my computer to make my machine inoperable...um...yeah. It's great. And no matter what Microsoft puts out, it'll always be one step behind! Thanks Mozilla!
    • What i would say to that is that while Firefox may be the current clear winner when it comes to spyware/security concerns, its success will be its downfall.

      Soon Firefox users will be a big enough percentage of the global browser market to become a viable target. It will only be a matter of time before spyware and virus authors are giving the latest Firefox build just as much of their special kind of attention as the latest offering from Microsoft.

      That's not to say that microsoft hasn't built in certain

      • argument:

        Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

        Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

        • Apache has 70% of the market, IIS has about 20%, yet the the former has only two unpatched holes.

          Since Apache is more popular (by 3 1/2 times), you'd think it would have 3 1/2 unpatched vulnerabilities, eh?

          So Apache 2 [secunia.com] has had 27 Secunia advisories, with 2 still unpatched, and IIS 6 [secunia.com] has only had 3, of which one is still unpatched. Seems to support the GP's theory pretty well. Your point?
          • The advisories are grouped by version no. IIS has been through more versions that IIS so the vulnerabilities are more spread out.

            Given that Apache 1.x is still being developed (and is more widely used) I think we can regard that as a product in itself. Compare that against the IIS 4 through to 6 and you get 12 for Apache against 14 for IIS. Furthermore all the IIS ones are remotely exploitable.

            So far in 2005 there has been one advisory each for Apache 1.3 and IIS 6. There have been 4 for Apache 2 (the least
        • I still get hits from Code Red / etc infected IIS machines, years after the patch was very widely announced. Yet, possibly infectable machines make up less than 1/5 of the Internet...

  • Security (Score:5, Funny)

    by halltk1983 ( 855209 ) <halltk1983@yahoo.com> on Tuesday September 06, 2005 @03:09PM (#13492834) Homepage Journal
    Hrm... wonder how long it take Microsoft to come out with a statement saying FF is becoming less secure, as they are taking out security functions.

  • Isn't a big deal... (Score:5, Informative)

    by GoNINzo ( 32266 ) <(GoNINzo) (at) (yahoo.com)> on Tuesday September 06, 2005 @03:12PM (#13492870) Journal
    You can disable SSL 2.0 right now. Go to Tools | Options | Advanced | Security and you can turn it off. I think they might just be turning it off by default now instead of having it default to on. Yes, it might break a few sites, but those might have some questionable security anyway if they havn't updated since 1996.

    You can do the same thing in IE by going to Tools | Options | Advanced | Security. What is kind of amusing is that TLS 1.0 seems to be off for me. Not that I use it but still... heh

    Anyway, if you're worried about it breaking a site you *must* use, try disabling it.

  • Positive (Score:5, Interesting)

    by Red Flayer ( 890720 ) on Tuesday September 06, 2005 @03:12PM (#13492871) Journal
    Good move by Mozilla.

    At the very least, this has prompted more attention to the fact that SSL 2.0 is not so secure.

    Even if some sites continue to use it, it is never a bad idea to bring attention to a flawed security system when a fix is easily available.

    Of course, some of us now might have to have two legacy browsers installed in order to use all the sites we want to (IE & an older FF) -- unless SSL 2.0 is reversibly disabled.
    • Well, if the failure mode is relatively silent, i.e. "It's just broken. I hate my computer. I'm getting a Mac.", then you haven't brought more attention to the problem.

      Fail loudly, blaming the other side for their lack of concern for data security. That's the way to bring about change.
      • "Fail loudly, blaming the other side for their lack of concern for data security. That's the way to bring about change."

        Or get media attention, and customers who contact you demanding a change.

        The stimulus for change doesn't have to be painful... but it helps!
      • It is noisy, it says that it cannot communicate with the remote site because SSL 2.0 is disabled, tho it could be more clear about why SSL 2.0 is a bad idea, as the current error message will just encourage people to turn it back on.

  • Have been surfing with SSL 2.0 disabled for years (Score:4, Informative)

    by swimgeek ( 470390 ) on Tuesday September 06, 2005 @03:18PM (#13492935)
    At least since 2002. Haven't had a problem with a single major site, including banks and financial institutions. I also wonder when the support for TLS 1.1 will be incorporated.

  • Look out for your interests ... (Score:2, Informative)

    by Anonymous Coward
    Here's how you can make sure the sites you're interested in [mozillazine.org] will still work after the upgrade.

    The link posted in that site won't display the problem -- visit the wiki [mozilla.org] to display the problem (https://register.btinternet.com/ [btinternet.com] is a current offender).

  • And I love Firefox. I do. And I try to get everyone I know using it.

    But would it kill the developers to fix one really annoying, yet increasingly serious bug?

    I'm speaking of large file download support. I ran across this when trying to download the Knoppix 4 DVD, which is 3GB, to a filesystem that supports files up to 4GB. Basically it starts downloading fine, but after the first two GB the progress bar goes wonky (reading negative file size downloaded) and the file on disk gets corrupted. I guess it's

    • Re:That's nice and all (Score:1, Informative)

      by Anonymous Coward
      wget and ftp are your friends
    • I checked with Bugzilla (no link from /. allowed)

      That doesn't means you can't put it here so other people can contribute: https://bugzilla.mozilla.org/show_bug.cgi?id=22896 8 [mozilla.org]

      You know, this is what opensource is for - you can help and fix it yourself, the mozilla foundation may not have enought programmers to solve those bugs...
      • ------- Additional Comment #127 From Christian Biesinger (:bi) 2005-04-05 16:53 PDT [reply] -------

        checked in. firefox and seamonkey should work.

        bug 288585 is for camino
        bug 289214 for embedding/browser/cocoa
        bug 289216 for photon
        bug 289218 for powerplant

        Bug 289219 for not QIing mInner in nsDownloadProxy (toolkit)
        Bug 289220 for not QIing mInner in nsDownloadProxy (xpfe)

        Bug 289221 for making exthandler an nsIProgressEventSink.

        Marking FIXED!

    • Re:That's nice and all (Score:4, Interesting)

      by slavemowgli ( 585321 ) on Tuesday September 06, 2005 @03:43PM (#13493183) Homepage
      The problem with Mozilla is that they're so swamped with bugs that some developers at least seem to have stopped caring about *any* bugs at all whatsoever anymore - to the point where they will not only not fix them, but actively try to prevent others from fixing them. Give bug 18574 a look some time, for example...

      Unfortunately, there's not really much you can do. Firefox *is* wildly popular, so those at the top of the Mozilla foundation (Asa Dotzler etc.) don't even realise that some things are going wrong - they've stopped listening to the people, just like Microsoft has, after convincing themselves that those who disagree are just a small bunch of disgruntled nay-sayers. Considering Firefox' popularity, that's not a difficult thing to do, but it's still wrong - you should always listen to your users.

      Unfortunately, it seems that Mozilla is heading further in this direction, with the creation of a new for-profit company that's supposed to take over from the non-profit organisation and all that. I fear that this will be used as an excuse to listen to the actual users even less - and I don't doubt that this new incarnation of Netscape (which is what it'll be, essentially) will reward Asa and co with a nice monthly sum for the whole thing, too.

      In the end, what it really boils down to is PR vs. the actual product - if PR (i.e., telling people that your product is good) is more important than actually *making* your product good, everyone loses. The only exception are those at the top of the pyramid who make money that way - but the actual users will lose out, and that's even sadder when you consider that projects with more PR will usually attract more users, too.

      Microsoft (Windows), Mozilla, MySQL - this is what they all have in common. They're all not really all that great at what they're supposed to do, but there's so much PR that they're still successful. And unlike with Windows and MySQL, where you have Linux/*BSD and PostgreSQL as free and better alternatives, there seems to be no real alternative to Mozilla - Opera is payware, Konqueror only runs on Linux/KDE, Safari is for OS X etc. Where is the free, no-crap browser for Windows? There seems to be none.
      • > The problem with Mozilla is that they're so swamped with bugs that some
        > developers at least seem to have stopped caring about *any* bugs at all
        > whatsoever anymore - to the point where they will not only not fix them,
        > but actively try to prevent others from fixing them. Give bug 18574 a
        > look some time, for example...

        If this bug is typical of the sort of thing you're complaining about, go soak your head. If it were me, I'd have closed that bug as NOTABUG aeons ago. There are an infinite

      • It's a troll, but I'll bite and see if I can get a free worm.

        This is just wrong. A bit of research (http://weblogs.mozillazine.org/asa/ [mozillazine.org], http://planet.mozilla.org/ [mozilla.org] shows that the developers, including Asa, routinely listen to users and often ask for comments. And from the point of view of an insider (bugs I've reported: 55 [mozilla.org]), developers respond quickly and helpfully to anyone who isn't wasting their time, and even those who are but do it in a curteous way.

        A few other specific points: the Mozilla Corporat

        • "we did support this for three years and the content didn't come"
          Yeah, back when no one knew about Mozilla (Firefox). But now Firefox is all over the place, and can make a difference. Lousy argument.

          Not that I necessarily think the original poster is right when he whines about this non-bug (it's asking for a new feature, not reporting something that doesn't work as designed).

  • by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

    the code-bloat related to SSL 2.0 must be tiny relative to other portions, such as Gecko

    besides, Mozilla can always offload SSL 2.0 into a DLL module which doesn't need to be loaded unless a SSL 2.0 site is encountered, thus minimizing memory utilization

    and if the SSL 2.0 module conflicts with a new feature, then they should decide whether it's worth the extra effort to keep SSL 2.0 around. but for now, the status quo will do.

    • Re:why remove it? (Score:5, Informative)

      by Anders ( 395 ) on Tuesday September 06, 2005 @05:28PM (#13494210)

      by keeping SSL 2.0, you maintain backward compatability for virtually zero-cost

      The problem is that SSL 2.0 servers will hang on a 3.0 handshake [mozillazine.org]. So the 2.0 handshake is tried first.

      Meaning that for servers configured to respond to both 2.0 and 3.0, you end up using the worst one. So that is the non-zero cost they try to avoid.

      • You don't end up using the worst SSL version, a well written server will use the best common SSL version.

        The SSL handshake is a multi-step process, it is only the initial 'ClientHello' record that is in the SSLv2 format. Inside that record is information telling the server the maximum SSL version the client supports. The SSL server will then respond with an SSLv3 (or TLS) 'ServerHello' record, and from that point on, the server and client will complete the SSLv3 handshake.

        There isn't any security problems l
  • Mozilla community has a separate Bugzilla entry at https://bugzilla.mozilla.org/show_bug.cgi?id=76162 [mozilla.org] . However, sites tested (SSL2 turned of via Tools menu) after May '05 are listed to http://wiki.mozilla.org/Necko:SSL_v2_Sites [mozilla.org] Wiki page.
  • ...but to login on the wi-fi network of my university (http://www.polito.it/ [polito.it] SSL 2.0 is required. The fun part is that we HAVE a IT department, and they TEACH us that SSL 2.0 is deprecated... but obviously the brilliant minds of our teachers are better employed elsewhere... (and we buy rubbish from third parts)

  • I would assume... (Score:3, Insightful)

    by Kr3m3Puff ( 413047 ) * <me@kitsonkelly. c o m> on Tuesday September 06, 2005 @04:16PM (#13493536) Homepage Journal
    That the desire to remove the technology also makes the job of testing easier, especially when dealing with security related code, I am sure that testing of this is more of annoyance. People expect it to be secure and unexploitable. Then you can focus your development and patches on new code.

    This isn't just about making stuff compatible for the users. Then the developers can focus on MSIE quicky mode rendering instead of SSL 2.0!

  • This is news? (Score:2, Insightful)

    by KhaZ ( 160984 )
    Sorry, maybe I'm missing something:

    But why is it a big deal that they're upgrading?

    I thought this was a news site: not freshmeat or version tracker.

    Is there some other item of importance here that I'm missing?

  • They were asking for people to submit sites that still use SSL 2, and they had found a mere 2000 left that people actually used that still used it (down from 10000 when they began this push).
  • How will this effect our websites? Do we have to make sure the company that provides the SSL uses SSL3.0?

  • Good (Score:4, Insightful)

    by ChiralSoftware ( 743411 ) <info@chiralsoftware.net> on Tuesday September 06, 2005 @06:47PM (#13494918) Homepage
    When you have a situation where 99% of the sites on the net have upgraded, you have two basic options:
    1. Keep on supporting them forever.
    2. Stop supporting them and force them to upgrade.
    #2 is usually the right thing to do. It's especially right in this case. Every single line of code that processes remote user input (ie, every line of SSL and any other web server code) could potentially contain a security vulnerability. Developers are not actively working on this antique code so bugs will be left there, perhaps forever. If you're looking for holes, abandoned code is a good place to look. This is similar to the Linux vulnerability not long ago where there was some obscure bug in the processing of a.out files that let binaries escalate. Well, we don't use a.out format anymore. We use ELF format and have for years, so no one was paying attention to that antique code. It should have been removed from the kernel, but it wasn't.

    The second issue is that OpenSSL is maintained by volunteers. I'd rather have them working to make a small set of features perfect, instead of wasting time on dead code that almost no one is using. Would you rather have the GCC crew working on improving Java or Fortran support?

Slashdot Top Deals

Some people claim that the UNIX learning curve is steep, but at least you only have to climb it once.

Close