The Firefox 2 Beta 1 milestone was released today. There are a number of changes in the cryptography of this release that are noteworthy:

1. When Firefox makes an OCSP request to validate a web server's certificate, it now uses whatever proxy you set up for normal HTTP traffic. (Bugzilla Bug 111384)
2. Support added for Elliptic Curve Cryptography (ECC) in TLS. There's a test server here.  Please be gentle with this server. If it starts to melt we'll have to take it offline.
   
3. SSL2 is off by default. (Bugzilla Bug 236933)
4. The weak ciphers (keys less than 64-bits long) are off by default.
5. It supports the TLS server name indication extension to facilitate secure connections to servers that host multiple 'virtual' servers at a single underlying network address. (See RFC http://www.ietf.org/rfc/rfc3546.txt)

Please run this software on a test machine.  It's a test release.  If you encounter any problems with the cryptography of this beta build, please file a bug here: https://bugzilla.mozilla.org/  (or contact me directly at blord at redhat)

The schedule for FF2 is at http://wiki.mozilla.org/Firefox2/Schedule and shows an August final release, but there's also a link to an online calendar that shows the final bits shipping at the end of September.

We continue to work towards FIPS 140-2 level 2 validation for the NSS crypto libraries.  When that effort is completed and NIST awards NSS the new validation certificates, people in the U.S. Government (and other places that value FIPS 140 validation) will be able to use the latest versions of Firefox and Thunderbird.