Peter Gutmann wrote:
I've had several pieces of mail asking for clarification of my original statement about Verisign, here's how to see this yourself:
1. Disable SSLv2 in your browser (i.e. take it to the state that it should have been shipped in in the first place).
Right. Perhaps we should file a bug?
2. Go to https://www.networksolutions.com/
With Mozilla I get an error to say that I can't connect because SSLv2 is disabled. With MSIE it just hangs forever trying to connect, with no indication of what's wrong ("Thank Bill kids. Thaaaaanks, Bill"). I can't remember any more which banking sites had problems with the same thing, it was last year some time, but the Verisign/NS issue is fairly well known (at least among SSL'ers) and they don't seem interested in fixing it.
Well, if they are not interested in fixing it, maybe it's time to realise that Verisign does what it wants and everyone else doesn't matter. Meanwhile, we can't use virtual SSL domains. Thanks Verisign, the fact that market expansion isn't in your interest has not escaped our attention ....
Here's what I suggest: Mozilla announces that as of X date/distro the default will be to switch off SSL v2. It can still be enabled manually for those sites that are stuck in the dark ages, but gee, we could also add a popup warning for those sites too, if we're serious about things.
Next, name these sites. Put up a warning that certain known sites still limit to SSL v2 and that this is an old, outdated protocol with old outdated bugs and users should be more than normally careful. Tell users to file a bug with those sites.
List them. Ask securityspace and netcraft to start publishing stats on who is still using only SSLv2.
iang
-- News and views on what matters in finance+crypto: http://financialcryptography.com/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
