Status

P3
normal
VERIFIED WONTFIX
18 years ago
2 years ago

People

(Reporter: junruh, Assigned: ddrinan0264)

Tracking

1.0 Branch
Future

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

18 years ago
1.) Start with a new profile.
2.) Edit > Prefs > Privacy/Security > SSL
What is expected: SSL2 should be off by default.
What happens: SSL2 is on.

Comment 1

18 years ago
I'm not sure we can turn off SSL2 by default in the Netscape builds. Setting
target to 2.0 to get it on the radar.
Target Milestone: --- → 2.0
(Reporter)

Comment 2

18 years ago
At least we can add user_pref("security.enable_ssl2", false); to the 
security-prefs.js file so that new profiles will have SSL2 turned off by 
default.

Comment 3

18 years ago
Since there are some high profile sites which still support only SSL 2 (e.g. 
Schwab) I don't think we can turn off SSL 2 for https by default yet.

Comment 4

18 years ago
Before we turn off SSL 2 by default, we would have to go through a period of
time where we by default issue warnings upon encountering an SSL 2 site.  I
wouldn't want to turn on such a warning until the low-bit crypto warning has
been out for a while.

I would be willing to write up an off-by-default SSL 2 warning if we're willing
to add yet another SSL pref.  We would have to figure out what such a warning
would say.
John, that's an interesting assertion (that we must provide an additional
warning for some period of time before turning it off by default).
But I'm not sure I agree.

When I visit https://investing.schwab.com/trading/drawminiquote/ with 
Communicator (with SSL2 disabled), I get this message:

> This site only supports SSL version 2.  You can enable
> support for SSL version 2 by selecting Security Info from
> the Communicator menu and opening the Navigator section.

I submit that if N6/mozilla has a similar warning (including instructions 
on how to enable SSL2) and we publicize our intent to disable SSL2 well
before hand, that should suffice.

Comment 6

18 years ago
Adding Jeremy Loeb for comments.

Comment 7

18 years ago
If we support SSL3 and TLS, then I think it won't be too often that a user would 
need to enable SSL2. That being said, I guess there are high-profile sites like 
Schwab that still only support SSL2, and need to upgrade. Maybe we should work 
on them rather that leave SSL2 on by default and open ourselves up to a possible 
security-firedrill down the road.

It is also not **too** big of a deal (I don't think) to place a warning like 
John said, and have people manually switch on SSL2. 

Copying Chris Nalls as an evangelist who may know the current number of 
high-profile SSL2-only sites on the web. 
(Assignee)

Comment 8

18 years ago
->Future
Target Milestone: 2.0 → Future
(Reporter)

Comment 9

18 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
(Reporter)

Comment 10

17 years ago
Update: https://investing.schwab.com/trading/start is still using only SSL2. 
However, PSM now gives a warning that explains how to turn on SSL2 when a site 
like Schwab cannot be reached.
Can we now add user_pref("security.enable_ssl2", false); to the 
security-prefs.js file so that new profiles will have SSL2 turned off by 
default?
Component: Daemon → Client Library
OS: Windows NT → All
Priority: -- → P3
QA Contact: ckritzer → junruh
Hardware: PC → All
Version: 2.0 → 2.1
(Reporter)

Comment 11

16 years ago
Wontfix. Consider reopening when SSL2 is turned off by default in other 
browsers.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WONTFIX
(Reporter)

Comment 12

16 years ago
V
Status: RESOLVED → VERIFIED

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core

Updated

11 years ago
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.