Mozilla Firefox to Drop Support for SSL 2.0

Plans are afoot to remove support for SSL version 2.0 in Mozilla Firefox. SSL provides encrypted connections to servers, making it safe to transfer data such as credit card numbers and banking details across the Internet. Unfortunately, there are a number of known security flaws in SSL 2.0, which was the first public version of the protocol (no applications shipped with support for SSL 1.0). Therefore, the Mozilla Foundation is eager to disable support for SSL 2.0 and have all Firefox installations use only the newer and more secure SSL 3.0 and TLS 1.0 protocols.

It is believed that very few secure sites support only SSL 2.0, with most secure sites supporting at least SSL 3.0. In May, Gervase Markham asked for developers and quality assurance contributors to report any sites that only support SSL 2.0 to get an idea of numbers. A list of popular sites has now been assembled and Gerv is now asking for volunteers to contact the maintainers of sites that only support SSL 2.0 and persuade them to embrace SSL 3.0 and/or TLS 1.0. According to Gerv's post, there are around 2,000 sites that support only SSL 2.0. This figure came down from 10,000 after a large ISP reconfigured its servers.

Netscape Communications Corporation introduced SSL 2.0 with the launch of Netscape Navigator 1.0 in 1994. Netscape Navigator 2.0 included support for SSL 3.0 when it was released in 1996. The specification for TLS 1.0, essentially a standardised version of SSL 3.0 with some differences, was published in 1999.

Talkback

http://www.mozillazine.org/talkback.html?article=7252