Sunday, September 04, 2005

Mozilla and Firefox dumping SSL2.0

Well, it looks like Mozilla is dumping SSL2.0, and with that comes the loss of SSL2.0 in Firefox as well. This means supporting code will be gone, and a very few sites will break; but fortunately, most sites support SSL3.0.

I say good riddance to bad rubbish, and may it rot in Hell forever. Some info about SSL2.0, it can be attacked a lot easier than SSL3.0. A man-in-the-middle attack can be used to force 40-bit weak encryption; and message authentication hashes use 40-bits even for 128-bit ciphers. There's a couple other weaknesses that more or less are considered immaterial or minimally useful, but being able to break the cipher invisibly and snoop the traffic is a major, major downer.

A little history lesson, The Data Encryption Standard, with 56-bit keys, was broken by a $250,000 device in a little over 2 days; ironically, 56 hours counts as "a little over 2 days," but this is just coincidental. Today's computers can do a 40-bit symmetric key in under a couple weeks, if not days. Credit card sniffing is useful in minor incriments; you can pick up a dozen credit cards in a month and have a good $50,000 limit right there. More powerful computers can be done in around $1000 to do it in much less time.

I say everyone makes sure SSL2.0 is disabled in Firefox as soon as possible. They're dropping it; get used to it. Complain to the webmasters if your stuff stops working; enable it only if it's needed for your business or job to function.

SSL3.0 has a compatibility feature which allows fallback to SSL2.0 if the client or server can't support SSL3.0. Having SSL2.0 available means that SSL3.0 connections can be man-in-the-middled to fall back to SSL2.0, as the flaws in SSL2.0 are perfectly possible until the last phase of the SSL3.0 hello. From there, the connection can be man-in-the-middled to use a 40-bit key, as it's now SSL2.0. The attacker now only needs a few hours on a newer system to break the key.


Blogger John said...

Wrote this then didn't publish it for several days. Oops? Yeah this is old news.

12:32 PM  
Blogger wow power leveling said...

Why was there no follow on bankruptcy then? The bailout of AIG FP went to (wow power leveling) hedge funds that bound credit swaps on Lehman failing or others betting on rating (wow power leveling) declines. AIG has drained over 100 billion from the government. Which had to go to those who bet on failures and downgrades. Many of whom (power leveling)were hedge funds. I-banks that had offsetting swaps needed the money from the AIG bailout or they would have been caught. Its an (wow powerleveling) insiders game and it takes just a little bit too much time for most people to think (wow gold) through where the AIG 100 billion bailout money went to, hedge funds and players, many of whom hire from the top ranks of DOJ, Fed, Treasury, CAOBO
wow goldwow goldwow goldwow gold CAOBO

9:49 PM  
Blogger Business Loans said...

I recently came across your post and have been reading along. I thought I would leave my first comment. I wonder how this pertains to Business Loans? I don't know what to say except that it caught my interest and you've provided informative points. I will visit this blog often.
Thank you,

8:32 PM  
Blogger office said...

The Tax Return Crack-Up<4>
Realizing he might have dug himself in there,Microsoft Office 2010the general emphasized that Office 2010he had spent some time as a junior Office 2007officer working "very closely Microsoft Officewith the Israeli air force" and that heMicrosoft Office 2007had found that "more cosmopolitan,Office 2007 key liberal version of the Israeli population" Office 2007 downloadto be just chock full Office 2007 Professionalof that sort of "goodwill" necessary Windows 7to give a bunch of land back Microsoft outlook 2010to the Palestinians.

4:02 AM  

Post a Comment

<< Home