You are viewing boblord

Security, Crypto, and Random Topics
SSL2 and weak ciphersuites in Mozilla clients 
8th-May-2006 10:26 am
The times are changing for the cryptography in your browser.

As many of you know, the SSL2 protocol has been superseded by the SSL3 protocol, and the TLS 1.0 and 1.1 protocols. As a result, we're working to remove the SSL2 protocol from the Mozilla clients. We'll be able to send the SSL3 hello message to the server when starting an SSL connection. The SSL3 hello will allow us to support a new type of cryptography, called Elliptic Curve Cryptography (ECC). It will also allow us to support Server Name Indication (SNI). [See this page for more information.]

Also, a number of ciphersuites with short (weak) key lengths (40-bits and 56-bits) have fallen out of vogue. They are just too weak to be trusted. So we're working to turn them off as well.

Microsoft is working on the same goals. Here is one of their blogs:
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

Here is the page we're using to track the few remaining SSL2-only sites that matter:
http://wiki.mozilla.org/Necko:SSL_v2_Sites

And here is Gerv's blog on the same subject:
http://weblogs.mozillazine.org/gerv/archives/2005/09/ssl2_must_die.html

If you run a web site that uses only SSL2, or one that only uses weak ciphers, it's time for you to upgrade your site!

As an aside, we're continuing to work on "mod_nss", an Apache web server module that allows administrators to use the NSS crypto libraries rather than OpenSSL. See here for more information:
http://directory.fedora.redhat.com/wiki/Mod_nss
This page was loaded Dec 22nd 2014, 6:59 am GMT.