Log in

Security, Crypto, and Random Topics
SSL2 and weak ciphersuites in Mozilla clients 
8th-May-2006 10:26 am
The times are changing for the cryptography in your browser.

As many of you know, the SSL2 protocol has been superseded by the SSL3 protocol, and the TLS 1.0 and 1.1 protocols. As a result, we're working to remove the SSL2 protocol from the Mozilla clients. We'll be able to send the SSL3 hello message to the server when starting an SSL connection. The SSL3 hello will allow us to support a new type of cryptography, called Elliptic Curve Cryptography (ECC). It will also allow us to support Server Name Indication (SNI). [See this page for more information.]

Also, a number of ciphersuites with short (weak) key lengths (40-bits and 56-bits) have fallen out of vogue. They are just too weak to be trusted. So we're working to turn them off as well.

Microsoft is working on the same goals. Here is one of their blogs:

Here is the page we're using to track the few remaining SSL2-only sites that matter:

And here is Gerv's blog on the same subject:

If you run a web site that uses only SSL2, or one that only uses weak ciphers, it's time for you to upgrade your site!

As an aside, we're continuing to work on "mod_nss", an Apache web server module that allows administrators to use the NSS crypto libraries rather than OpenSSL. See here for more information:
This page was loaded Nov 27th 2015, 10:35 pm GMT.