Ram A M wrote:
If one wanted to achieve a useful distinction, then I suggest warning
when an SSL v2
protocol site is struck, as at least then a real issue is being
addressed.
I have SSL2 disabled and AFAIK it has not limited my access to sites in
a long time. Perhaps it is time to retire SSL2 in the default config.
There's some incompatibility that means that the
default is set to be SSL2, while there are a few
sites out there that still are stuck on SSL2 as
server-side protocols.
Nelson explained this a while ago ... until the
browsers go to SSL3 / TLS 1.0 they cannot handle
virtual hosts.
So my suggestion at the time was to simply set a
time schedule and state in a PR that Firefox
switches over to TLS 1.0 at a certain date, and
sites using SSL2 would suffer.
(name them and shame them, I say. Take no
prisoners!)
The other browsers would no doubt follow suit.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
Mozilla-security@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-security