1.) Start with a new profile. 2.) Edit > Prefs > Privacy/Security > SSL What is expected: SSL2 should be off by default. What happens: SSL2 is on.
I'm not sure we can turn off SSL2 by default in the Netscape builds. Setting target to 2.0 to get it on the radar.
Target Milestone: --- → 2.0
At least we can add user_pref("security.enable_ssl2", false); to the security-prefs.js file so that new profiles will have SSL2 turned off by default.
Since there are some high profile sites which still support only SSL 2 (e.g. Schwab) I don't think we can turn off SSL 2 for https by default yet.
Before we turn off SSL 2 by default, we would have to go through a period of time where we by default issue warnings upon encountering an SSL 2 site. I wouldn't want to turn on such a warning until the low-bit crypto warning has been out for a while. I would be willing to write up an off-by-default SSL 2 warning if we're willing to add yet another SSL pref. We would have to figure out what such a warning would say.
John, that's an interesting assertion (that we must provide an additional warning for some period of time before turning it off by default). But I'm not sure I agree. When I visit https://investing.schwab.com/trading/drawminiquote/ with Communicator (with SSL2 disabled), I get this message: > This site only supports SSL version 2. You can enable > support for SSL version 2 by selecting Security Info from > the Communicator menu and opening the Navigator section. I submit that if N6/mozilla has a similar warning (including instructions on how to enable SSL2) and we publicize our intent to disable SSL2 well before hand, that should suffice.
Adding Jeremy Loeb for comments.
If we support SSL3 and TLS, then I think it won't be too often that a user would need to enable SSL2. That being said, I guess there are high-profile sites like Schwab that still only support SSL2, and need to upgrade. Maybe we should work on them rather that leave SSL2 on by default and open ourselves up to a possible security-firedrill down the road. It is also not **too** big of a deal (I don't think) to place a warning like John said, and have people manually switch on SSL2. Copying Chris Nalls as an evangelist who may know the current number of high-profile SSL2-only sites on the web.
Target Milestone: 2.0 → Future
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Update: https://investing.schwab.com/trading/start is still using only SSL2. However, PSM now gives a warning that explains how to turn on SSL2 when a site like Schwab cannot be reached. Can we now add user_pref("security.enable_ssl2", false); to the security-prefs.js file so that new profiles will have SSL2 turned off by default?
Component: Daemon → Client Library
OS: Windows NT → All
Priority: -- → P3
QA Contact: ckritzer → junruh
Hardware: PC → All
Version: 2.0 → 2.1
Wontfix. Consider reopening when SSL2 is turned off by default in other browsers.
Status: NEW → RESOLVED
Last Resolved: 16 years ago
Resolution: --- → WONTFIX
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.