On Thursday 19 May 2005 12:07, Kikx wrote: > Considering that it's a lack of security and allow man in the middle > attack (down negociation only) and even if you would like to use TLS or > SSL3 an attaquant can just force you to go to SSL2 and then to use a > very weak encryption without any warning ... > > I really think that mozilla should disable SSL2 or warning a lot when > asking in ssl3 and the server response in SSL2 !!!
Yes, you are not alone. Gerv recently posted for internal Mozilla consumption (I think) a proposal to test this more formally. http://weblogs.mozillazine.org/gerv/archives/008157.html Spread the word ... turn off SSLv2 everywhere manually. In servers, browsers, etc. If any problems come to light, we can then at least examine them and decide what to do, but given the terribly low numbers of SSL v2 only servers out there (under 2%) I don't see that there will be a problem. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security