307271 - (ssl2) Eradicate SSL 2.0-only servers from the Internet

Status: RESOLVED FIXED

(Tech Evangelism Graveyard :: English US, defect, P1)

Description

[Daniel C]

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9a1) Gecko/20050902 Firefox/1.6a1

See URL: http://weblogs.mozillazine.org./gerv/archives/2005/09/ssl2_must_die.html

Aim: Persuade various ISPs/hosting companies/webmasters to include SSL 3/TLS
support on their servers in addition/as a replacement to SSL 2.0. Netcraft have
provided us with statistics of fairly popular websites which use SSL 2.0 only,
and I've weeded out the bogus entries to come up with a list of 102 sites.
Tweaking it, we get 92 unique domains, and further analysis shows that they are
in 76 unique networks. This probably means that we need 76 bugs for each
site/domain/network if they are part of one.

To help out with a particular bug, firstly disable SSL 2.0 (Preferences ->
Advanced -> Security -> Protocols -> Use SSL 2.0 in the latest-trunk builds) and
check to see that it doesn't work. You should see an error 'Alert' stating: "You
cannot connect to xxx.xxx.xxx because SSL version 2 is disabled."

If not, resolve the bug as WORKSFORME. All sites listed have problems at the
time of filing.

Then attempt to find a contact e-mail address. To do this you can re-enable SSL
2 and search the site looking for a webmaster or other address. A better way is
to see if they say who is hosting their website, then contact them, as it is
likely that they have more than one server with this problem (colocation is
different, and individual server administrators need to be contacted).

If you can't find anything, try using Netcraft: http://searchdns.netcraft.com./
Search for 'site ends with' and then the domain name. Look for the 'Netblock
owner' in the results, and see if you can find a contact address for them.

I hope to get some kind of standard letter created and attached. It should
explain the problems with SSL 2 and how to fix them on Apache 1.3 and 2 at
least. It should explain that at some point Firefox will disable support, losing
them a possible 10% (at present) visitors. Mentioning that other browsers may do
a similar thing should get them moving.

Perhaps sneak a little Firefox advertisement in there too...

Comment 1

[Daniel C]

Attachment: SSL 2.0-only site listing. Grouped by domain and then class B network. Split into 5 priority groups.

The list of sites for which bugs need to be filed and sites contacted. I will
get round to filing all the bugs soon. They will block this bug.

Comment 2

[Patrick]

Hi, i have read this bug and the mozillazine entry [sort of] and i understand
what the plan is and why.

However, i'm getting a number of Tech Evang issues filed for sites that should
upgrade from SSL2. 

I don't know if this bug is the right place to take this issue, but AFAIK SSL2
_IS_ a valid standard. Just that we drop support for it based on security
reasons doesn't make it a Tech Evang issue. Any thoughts?

Comment 3

[Daniel C]

The MozillaZine article was a bit sensationalist. Mozilla is not going to drop
support for SSL2. It is a valid (albeit deprecated) standard, and will continue
to be supported. The plan is to disable support by default. It can easily be
enabled again. See the bug that this blocks, bug 236933. The reason that this
bug blocks it is because Mozilla will not disable support until a large
percentage of sites have alternatives in place (SSL3, TLS1 etc.)

I hope that answers your question. As this bug does exist and has been approved,
I can think of no better product to place it under.

Comment 4

[Gervase Markham [:gerv]]

Patrick: I think Tech Evang is the right place, because we are doing technical
evangelism :-) Tech Evang is about making people make changes that make their
sites work better with Firefox - even pre-emptive ones.

Gerv

Comment 5

[Daniel C]

Quick update:

I have reported some of the priority 1 bugs, and Patrick Fey
<bugzilla@fey-network.de> has reported the others, as well as all of the P2 bugs.

I filed bug 308693 and bug 308694 in with the priority 1 bugs, as they are no
different save the error message. They still don't work without SSL2 and do with it.

Bug 308695 WFM without having been contacted. Yay :)

And from attachment 195067 [details], ics.vodafone.ie (https://ics.vodafone.ie/) now
works. Previously the site was down, so I don't know whether it always worked,
or whether it's been fixed, but it's another working site, so :)

I'm debating whether to file seperate bugs on:

"The Connection was Interrupted"
      apuc.cert.fnmt.es
      netc-sso.cnet.navy.mil
      
"Error Code: -12227"
      tcadmin.geotrust.com

The problems are unrelated to SSL2, but still cause abnormal effects in the
browser IMO.

That leaves 44 bugs to be filed (priorities 3, 4 and 5).

Comment 6

[Christian Eyrich]

(In reply to comment #5)

> I have reported some of the priority 1 bugs, and Patrick Fey
> <bugzilla@fey-network.de> has reported the others, as well as all of the P2
> bugs.

Have those bugs just been reported, or the admins already been contacted? Or the
other way round, will (should) it be mentioned in the particular bugs if the
admins have been contacted?

And does a form letter for contacting them exist or is it work in progress?

Comment 7

[Daniel C]

I've just filed all Priority 3 bugs, leaving 29 bugs to still be filed.

(In reply to comment #6)
> Have those bugs just been reported, or the admins already been contacted? Or the
> other way round, will (should) it be mentioned in the particular bugs if the
> admins have been contacted?
> 
> And does a form letter for contacting them exist or is it work in progress?

Christian, no work has started on any of the bugs yet.
http://www.mozilla.org/projects/tech-evangelism/site/procedures.html explains
the procedures followed for Tech Evangelism bugs.

As for letters, there isn't really one for these bugs yet.
http://www.mozilla.org/projects/tech-evangelism/site/letters.html are the normal
Tech Evangelism letters. Those are old and not entirely relevant, but they have
some good points in there.

Basically you need to highlight that their current implementation is not as
secure as it should be and that in future their sites may not work unless their
solve the issue. Referencing the bug about their site is probably a good idea.

Comment 8

[Daniel C]

Attachment: Screenshot of error

Screenshot of the error shown when trying to connect to a SSL2-only site with
SSL2 disabled.

Comment 9

[Patrick]

(In reply to comment #8)
> Screenshot of the error shown when trying to connect to a SSL2-only site with
> SSL2 disabled.
 
Probably not part of this bug, but that particular error message doesn't help
the novice user very much. For starters, it's not clear if this is a problem of
the web page or firefox [ie., the server or the client]. Furthermore, it doesn't
give any steps towards solving the problem for the user.

Can't we have an error page instead of a dialog, a la the error page for
non-existing pages?

Comment 10

[Christian Eyrich]

I've just filed all Priority 4 bugs, leaving the last 14 bugs to be filed.

Comment 11

[Christian Eyrich]

Filed all Priority 5 bugs, so whole list is processed.

Comment 12

[Patrick Fey]

The IE-Team has just announced that they will drop support for ssl2 in IE7. We should mention this in any letter we write to sysadmins.

Quote from http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

For Internet Explorer 7, the default HTTPS protocol settings will be changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol. Hence, by default, IE7 users will negotiate HTTPS connections using SSLv3 or TLSv1.

Generally, IE users will not notice any difference in the user-experience due to this change; it’s a silent improvement in security.  Our research indicates that there are only a handful of sites left on the Internet that require SSLv2.  Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.

Comment 13

[Daniel C]

(In reply to comment #12)
> The IE-Team has just announced that they will drop support for ssl2 in IE7. We
> should mention this in any letter we write to sysadmins.
> 

Good catch Patrick! I hadn't noticed this. Yes, this should be mentioned in any contact. If IE7 disables SSL2, sites will likely upgrade soon after it is released. This may mean we can WFM many of the bugs blocking this without any work. I knew Microsoft had some goodness in them somewhere... I'm going to comment in bug 236933.

Comment 14

[Gervase Markham [:gerv]]

Once SSL 2 is turned off in Firefox, we can close this bug and ignore all the sites. When IE 7 is released, they'll sort themselves out soon enough :-) But, if people want to keep working and at least send a boilerplate warning email to webmaster@<site> for all of them, that would be nice too.

Gerv

Comment 15

[Phillip Stewart :P]

Looks like this can be closed now.

Comment 16

[Daniel C]

Yeah OK. The only known site left is bug 311317. Woohoo!