Bug 307271 (ssl2)

Eradicate SSL 2.0-only servers from the Internet

RESOLVED FIXED

Status

defect
P1
normal
RESOLVED FIXED
14 years ago
4 years ago

People

(Reporter: djcater+bugzilla, Unassigned)

Tracking

({meta})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: ssl2, URL)

Attachments

(2 attachments)

(Reporter)

Description

14 years ago
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050902 Firefox/1.6a1

See URL: http://weblogs.mozillazine.org./gerv/archives/2005/09/ssl2_must_die.html

Aim: Persuade various ISPs/hosting companies/webmasters to include SSL 3/TLS
support on their servers in addition/as a replacement to SSL 2.0. Netcraft have
provided us with statistics of fairly popular websites which use SSL 2.0 only,
and I've weeded out the bogus entries to come up with a list of 102 sites.
Tweaking it, we get 92 unique domains, and further analysis shows that they are
in 76 unique networks. This probably means that we need 76 bugs for each
site/domain/network if they are part of one.

To help out with a particular bug, firstly disable SSL 2.0 (Preferences ->
Advanced -> Security -> Protocols -> Use SSL 2.0 in the latest-trunk builds) and
check to see that it doesn't work. You should see an error 'Alert' stating: "You
cannot connect to xxx.xxx.xxx because SSL version 2 is disabled."

If not, resolve the bug as WORKSFORME. All sites listed have problems at the
time of filing.

Then attempt to find a contact e-mail address. To do this you can re-enable SSL
2 and search the site looking for a webmaster or other address. A better way is
to see if they say who is hosting their website, then contact them, as it is
likely that they have more than one server with this problem (colocation is
different, and individual server administrators need to be contacted).

If you can't find anything, try using Netcraft: http://searchdns.netcraft.com./
Search for 'site ends with' and then the domain name. Look for the 'Netblock
owner' in the results, and see if you can find a contact address for them.

I hope to get some kind of standard letter created and attached. It should
explain the problems with SSL 2 and how to fix them on Apache 1.3 and 2 at
least. It should explain that at some point Firefox will disable support, losing
them a possible 10% (at present) visitors. Mentioning that other browsers may do
a similar thing should get them moving.

Perhaps sneak a little Firefox advertisement in there too...
(Reporter)

Comment 1

14 years ago
The list of sites for which bugs need to be filed and sites contacted. I will
get round to filing all the bugs soon. They will block this bug.
(Reporter)

Updated

14 years ago
Alias: ssl2
Priority: -- → P1
Whiteboard: ssl2
(Reporter)

Updated

14 years ago
Depends on: 307275
(Reporter)

Updated

14 years ago
Blocks: 236933
(Reporter)

Updated

14 years ago
Depends on: 307900
(Reporter)

Updated

14 years ago
Depends on: 307914
(Reporter)

Updated

14 years ago
Depends on: 307916
(Reporter)

Updated

14 years ago
Depends on: 307918

Updated

14 years ago
Depends on: 308444

Updated

14 years ago
Depends on: 308446

Updated

14 years ago
Depends on: 308449

Updated

14 years ago
Depends on: 308451

Updated

14 years ago
Depends on: 308453

Updated

14 years ago
Depends on: 308454

Updated

14 years ago
Depends on: 308456

Updated

14 years ago
Depends on: 308459

Comment 2

14 years ago
Hi, i have read this bug and the mozillazine entry [sort of] and i understand
what the plan is and why.

However, i'm getting a number of Tech Evang issues filed for sites that should
upgrade from SSL2. 

I don't know if this bug is the right place to take this issue, but AFAIK SSL2
_IS_ a valid standard. Just that we drop support for it based on security
reasons doesn't make it a Tech Evang issue. Any thoughts?

Updated

14 years ago
Depends on: 308461

Updated

14 years ago
Depends on: 308462
(Reporter)

Comment 3

14 years ago
The MozillaZine article was a bit sensationalist. Mozilla is not going to drop
support for SSL2. It is a valid (albeit deprecated) standard, and will continue
to be supported. The plan is to disable support by default. It can easily be
enabled again. See the bug that this blocks, bug 236933. The reason that this
bug blocks it is because Mozilla will not disable support until a large
percentage of sites have alternatives in place (SSL3, TLS1 etc.)

I hope that answers your question. As this bug does exist and has been approved,
I can think of no better product to place it under.

Updated

14 years ago
Depends on: 308594

Updated

14 years ago
Depends on: 308604

Updated

14 years ago
Depends on: 308605

Updated

14 years ago
Depends on: 308607

Updated

14 years ago
Depends on: 308608

Updated

14 years ago
Depends on: 308610

Updated

14 years ago
Depends on: 308611

Updated

14 years ago
Depends on: 308612

Updated

14 years ago
Depends on: 308614

Updated

14 years ago
Depends on: 308616

Updated

14 years ago
Depends on: 308617

Updated

14 years ago
Depends on: 308618

Updated

14 years ago
Depends on: 308619

Updated

14 years ago
Depends on: 308620

Updated

14 years ago
Depends on: 308621
Patrick: I think Tech Evang is the right place, because we are doing technical
evangelism :-) Tech Evang is about making people make changes that make their
sites work better with Firefox - even pre-emptive ones.

Gerv
(Reporter)

Updated

14 years ago
Depends on: 308693
(Reporter)

Updated

14 years ago
Depends on: 308694
(Reporter)

Updated

14 years ago
Depends on: 308695
(Reporter)

Comment 5

14 years ago
Quick update:

I have reported some of the priority 1 bugs, and Patrick Fey
<bugzilla@fey-network.de> has reported the others, as well as all of the P2 bugs.

I filed bug 308693 and bug 308694 in with the priority 1 bugs, as they are no
different save the error message. They still don't work without SSL2 and do with it.

Bug 308695 WFM without having been contacted. Yay :)

And from attachment 195067 [details], ics.vodafone.ie (https://ics.vodafone.ie/) now
works. Previously the site was down, so I don't know whether it always worked,
or whether it's been fixed, but it's another working site, so :)

I'm debating whether to file seperate bugs on:

"The Connection was Interrupted"
      apuc.cert.fnmt.es
      netc-sso.cnet.navy.mil
      
"Error Code: -12227"
      tcadmin.geotrust.com

The problems are unrelated to SSL2, but still cause abnormal effects in the
browser IMO.

That leaves 44 bugs to be filed (priorities 3, 4 and 5).

Comment 6

14 years ago
(In reply to comment #5)

> I have reported some of the priority 1 bugs, and Patrick Fey
> <bugzilla@fey-network.de> has reported the others, as well as all of the P2
> bugs.

Have those bugs just been reported, or the admins already been contacted? Or the
other way round, will (should) it be mentioned in the particular bugs if the
admins have been contacted?

And does a form letter for contacting them exist or is it work in progress?
(Reporter)

Updated

14 years ago
Depends on: 310777
(Reporter)

Updated

14 years ago
Depends on: 310779
(Reporter)

Updated

14 years ago
Depends on: 310780
(Reporter)

Updated

14 years ago
Depends on: 310781
(Reporter)

Updated

14 years ago
Depends on: 310782
(Reporter)

Updated

14 years ago
Depends on: 310783
(Reporter)

Updated

14 years ago
Depends on: 310784
(Reporter)

Updated

14 years ago
Depends on: 310785
(Reporter)

Updated

14 years ago
Depends on: 310787
(Reporter)

Updated

14 years ago
Depends on: 310789
(Reporter)

Updated

14 years ago
Depends on: 310791
(Reporter)

Updated

14 years ago
Depends on: 310792
(Reporter)

Updated

14 years ago
Depends on: 310795
(Reporter)

Updated

14 years ago
Depends on: 310796
(Reporter)

Updated

14 years ago
Depends on: 310797
(Reporter)

Comment 7

14 years ago
I've just filed all Priority 3 bugs, leaving 29 bugs to still be filed.

(In reply to comment #6)
> Have those bugs just been reported, or the admins already been contacted? Or the
> other way round, will (should) it be mentioned in the particular bugs if the
> admins have been contacted?
> 
> And does a form letter for contacting them exist or is it work in progress?

Christian, no work has started on any of the bugs yet.
http://www.mozilla.org/projects/tech-evangelism/site/procedures.html explains
the procedures followed for Tech Evangelism bugs.

As for letters, there isn't really one for these bugs yet.
http://www.mozilla.org/projects/tech-evangelism/site/letters.html are the normal
Tech Evangelism letters. Those are old and not entirely relevant, but they have
some good points in there.

Basically you need to highlight that their current implementation is not as
secure as it should be and that in future their sites may not work unless their
solve the issue. Referencing the bug about their site is probably a good idea.
(Reporter)

Comment 8

14 years ago
Posted image Screenshot of error
Screenshot of the error shown when trying to connect to a SSL2-only site with
SSL2 disabled.

Comment 9

14 years ago
(In reply to comment #8)
> Screenshot of the error shown when trying to connect to a SSL2-only site with
> SSL2 disabled.
 
Probably not part of this bug, but that particular error message doesn't help
the novice user very much. For starters, it's not clear if this is a problem of
the web page or firefox [ie., the server or the client]. Furthermore, it doesn't
give any steps towards solving the problem for the user.

Can't we have an error page instead of a dialog, a la the error page for
non-existing pages?

Updated

14 years ago
Depends on: 310806

Updated

14 years ago
Depends on: 310807

Updated

14 years ago
Depends on: 310808

Updated

14 years ago
Depends on: 310810

Updated

14 years ago
Depends on: 310811

Updated

14 years ago
Depends on: 310812

Updated

14 years ago
Depends on: 310813

Updated

14 years ago
Depends on: 310814

Updated

14 years ago
Depends on: 310815

Updated

14 years ago
Depends on: 310816

Updated

14 years ago
Depends on: 310818

Updated

14 years ago
Depends on: 310819

Updated

14 years ago
Depends on: 310820

Updated

14 years ago
Depends on: 310822

Updated

14 years ago
Depends on: 310823

Comment 10

14 years ago
I've just filed all Priority 4 bugs, leaving the last 14 bugs to be filed.

Updated

14 years ago
Depends on: 311312

Updated

14 years ago
Depends on: 311313

Updated

14 years ago
Depends on: 311314

Updated

14 years ago
Depends on: 311315

Updated

14 years ago
Depends on: 311316

Updated

14 years ago
Depends on: 311317

Updated

14 years ago
Depends on: 311318

Updated

14 years ago
Depends on: 311320

Updated

14 years ago
Depends on: 311321

Updated

14 years ago
Depends on: 311322

Updated

14 years ago
Depends on: 311323

Updated

14 years ago
Depends on: 311324

Updated

14 years ago
Depends on: 311325

Updated

14 years ago
Depends on: 311326

Comment 11

14 years ago
Filed all Priority 5 bugs, so whole list is processed.

Comment 12

14 years ago
The IE-Team has just announced that they will drop support for ssl2 in IE7. We should mention this in any letter we write to sysadmins.

Quote from http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

For Internet Explorer 7, the default HTTPS protocol settings will be changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. Hence, by default, IE7 users will negotiate HTTPS connections using SSLv3 or TLSv1.

Generally, IE users will not notice any difference in the user-experience due to this change; it’s a silent improvement in security.  Our research indicates that there are only a handful of sites left on the Internet that require SSLv2.  Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.
(Reporter)

Comment 13

14 years ago
(In reply to comment #12)
> The IE-Team has just announced that they will drop support for ssl2 in IE7. We
> should mention this in any letter we write to sysadmins.
> 

Good catch Patrick! I hadn't noticed this. Yes, this should be mentioned in any contact. If IE7 disables SSL2, sites will likely upgrade soon after it is released. This may mean we can WFM many of the bugs blocking this without any work. I knew Microsoft had some goodness in them somewhere... I'm going to comment in bug 236933.

Updated

13 years ago
Depends on: 328095
Once SSL 2 is turned off in Firefox, we can close this bug and ignore all the sites. When IE 7 is released, they'll sort themselves out soon enough :-) But, if people want to keep working and at least send a boilerplate warning email to webmaster@<site> for all of them, that would be nice too.

Gerv

Updated

13 years ago
Depends on: 330490

Updated

13 years ago
Depends on: 366157
(Reporter)

Updated

13 years ago
No longer depends on: 366157
(Reporter)

Updated

12 years ago
Depends on: 370823

Updated

12 years ago
Depends on: 387082
(Reporter)

Updated

11 years ago
Depends on: 455759
(Reporter)

Updated

11 years ago
Depends on: 455785
(Reporter)

Updated

11 years ago
No longer depends on: 330490
Looks like this can be closed now.
(Reporter)

Comment 16

10 years ago
Yeah OK. The only known site left is bug 311317. Woohoo!
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.