Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050902 Firefox/1.6a1 See URL: http://weblogs.mozillazine.org./gerv/archives/2005/09/ssl2_must_die.html Aim: Persuade various ISPs/hosting companies/webmasters to include SSL 3/TLS support on their servers in addition/as a replacement to SSL 2.0. Netcraft have provided us with statistics of fairly popular websites which use SSL 2.0 only, and I've weeded out the bogus entries to come up with a list of 102 sites. Tweaking it, we get 92 unique domains, and further analysis shows that they are in 76 unique networks. This probably means that we need 76 bugs for each site/domain/network if they are part of one. To help out with a particular bug, firstly disable SSL 2.0 (Preferences -> Advanced -> Security -> Protocols -> Use SSL 2.0 in the latest-trunk builds) and check to see that it doesn't work. You should see an error 'Alert' stating: "You cannot connect to xxx.xxx.xxx because SSL version 2 is disabled." If not, resolve the bug as WORKSFORME. All sites listed have problems at the time of filing. Then attempt to find a contact e-mail address. To do this you can re-enable SSL 2 and search the site looking for a webmaster or other address. A better way is to see if they say who is hosting their website, then contact them, as it is likely that they have more than one server with this problem (colocation is different, and individual server administrators need to be contacted). If you can't find anything, try using Netcraft: http://searchdns.netcraft.com./ Search for 'site ends with' and then the domain name. Look for the 'Netblock owner' in the results, and see if you can find a contact address for them. I hope to get some kind of standard letter created and attached. It should explain the problems with SSL 2 and how to fix them on Apache 1.3 and 2 at least. It should explain that at some point Firefox will disable support, losing them a possible 10% (at present) visitors. Mentioning that other browsers may do a similar thing should get them moving. Perhaps sneak a little Firefox advertisement in there too...
The list of sites for which bugs need to be filed and sites contacted. I will get round to filing all the bugs soon. They will block this bug.
Hi, i have read this bug and the mozillazine entry [sort of] and i understand what the plan is and why. However, i'm getting a number of Tech Evang issues filed for sites that should upgrade from SSL2. I don't know if this bug is the right place to take this issue, but AFAIK SSL2 _IS_ a valid standard. Just that we drop support for it based on security reasons doesn't make it a Tech Evang issue. Any thoughts?
The MozillaZine article was a bit sensationalist. Mozilla is not going to drop support for SSL2. It is a valid (albeit deprecated) standard, and will continue to be supported. The plan is to disable support by default. It can easily be enabled again. See the bug that this blocks, bug 236933. The reason that this bug blocks it is because Mozilla will not disable support until a large percentage of sites have alternatives in place (SSL3, TLS1 etc.) I hope that answers your question. As this bug does exist and has been approved, I can think of no better product to place it under.
Patrick: I think Tech Evang is the right place, because we are doing technical evangelism :-) Tech Evang is about making people make changes that make their sites work better with Firefox - even pre-emptive ones. Gerv
Quick update: I have reported some of the priority 1 bugs, and Patrick Fey <email@example.com> has reported the others, as well as all of the P2 bugs. I filed bug 308693 and bug 308694 in with the priority 1 bugs, as they are no different save the error message. They still don't work without SSL2 and do with it. Bug 308695 WFM without having been contacted. Yay :) And from attachment 195067 [details], ics.vodafone.ie (https://ics.vodafone.ie/) now works. Previously the site was down, so I don't know whether it always worked, or whether it's been fixed, but it's another working site, so :) I'm debating whether to file seperate bugs on: "The Connection was Interrupted" apuc.cert.fnmt.es netc-sso.cnet.navy.mil "Error Code: -12227" tcadmin.geotrust.com The problems are unrelated to SSL2, but still cause abnormal effects in the browser IMO. That leaves 44 bugs to be filed (priorities 3, 4 and 5).
(In reply to comment #5) > I have reported some of the priority 1 bugs, and Patrick Fey > <firstname.lastname@example.org> has reported the others, as well as all of the P2 > bugs. Have those bugs just been reported, or the admins already been contacted? Or the other way round, will (should) it be mentioned in the particular bugs if the admins have been contacted? And does a form letter for contacting them exist or is it work in progress?
I've just filed all Priority 3 bugs, leaving 29 bugs to still be filed. (In reply to comment #6) > Have those bugs just been reported, or the admins already been contacted? Or the > other way round, will (should) it be mentioned in the particular bugs if the > admins have been contacted? > > And does a form letter for contacting them exist or is it work in progress? Christian, no work has started on any of the bugs yet. http://www.mozilla.org/projects/tech-evangelism/site/procedures.html explains the procedures followed for Tech Evangelism bugs. As for letters, there isn't really one for these bugs yet. http://www.mozilla.org/projects/tech-evangelism/site/letters.html are the normal Tech Evangelism letters. Those are old and not entirely relevant, but they have some good points in there. Basically you need to highlight that their current implementation is not as secure as it should be and that in future their sites may not work unless their solve the issue. Referencing the bug about their site is probably a good idea.
Screenshot of the error shown when trying to connect to a SSL2-only site with SSL2 disabled.
(In reply to comment #8) > Screenshot of the error shown when trying to connect to a SSL2-only site with > SSL2 disabled. Probably not part of this bug, but that particular error message doesn't help the novice user very much. For starters, it's not clear if this is a problem of the web page or firefox [ie., the server or the client]. Furthermore, it doesn't give any steps towards solving the problem for the user. Can't we have an error page instead of a dialog, a la the error page for non-existing pages?
I've just filed all Priority 4 bugs, leaving the last 14 bugs to be filed.
Filed all Priority 5 bugs, so whole list is processed.
The IE-Team has just announced that they will drop support for ssl2 in IE7. We should mention this in any letter we write to sysadmins. Quote from http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx For Internet Explorer 7, the default HTTPS protocol settings will be changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. Hence, by default, IE7 users will negotiate HTTPS connections using SSLv3 or TLSv1. Generally, IE users will not notice any difference in the user-experience due to this change; it’s a silent improvement in security. Our research indicates that there are only a handful of sites left on the Internet that require SSLv2. Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.
(In reply to comment #12) > The IE-Team has just announced that they will drop support for ssl2 in IE7. We > should mention this in any letter we write to sysadmins. > Good catch Patrick! I hadn't noticed this. Yes, this should be mentioned in any contact. If IE7 disables SSL2, sites will likely upgrade soon after it is released. This may mean we can WFM many of the bugs blocking this without any work. I knew Microsoft had some goodness in them somewhere... I'm going to comment in bug 236933.
Once SSL 2 is turned off in Firefox, we can close this bug and ignore all the sites. When IE 7 is released, they'll sort themselves out soon enough :-) But, if people want to keep working and at least send a boilerplate warning email to webmaster@<site> for all of them, that would be nice too. Gerv
Looks like this can be closed now.
Yeah OK. The only known site left is bug 311317. Woohoo!
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.