[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]
On Wed, Dec 31, 2008 at 10:07:39AM +0000, Tom Potts wrote: > In firefox you can choose: > use ssl2.0 > use ssl3.0 > use tsl1.0 > which of these allow md5? Extract from Wikipedia http://en.wikipedia.org/wiki/Secure_Sockets_Layer SSL v2 is flawed in a variety of ways: * Identical cryptographic keys are used for message authentication and encryption. * MACs are unnecessarily weakened in the "export mode" required by U.S. export restrictions (symmetric key length was limited to 40 bits in Netscape and Internet Explorer). * SSL v2 has a weak MAC construction and relies solely on the MD5 hash function. * SSL v2 does not have any protection for the handshake, meaning a man-in-the-middle downgrade attack can go undetected. * SSL v2 uses the TCP connection close to indicate the end of data. This means that truncation attacks are possible: the attacker simply forges a TCP FIN, leaving the recipient unaware of an illegitimate end of data message (SSL v3 fixes this problem by having an explicit closure alert). * SSL v2 assumes a single service, and a fixed domain certificate, which clashes with the standard feature of virtual hosting in webservers. This means that most websites are practically impaired from using SSL. TLS/SNI fixes this but is not deployed in webservers as yet. SSL v2 is disabled by default in Internet Explorer 7,[4] Mozilla Firefox 2 and Mozilla Firefox 3,[5] and Safari. After it sends a TLS ClientHello, if Mozilla Firefox finds that the server is unable to complete the handshake, it will attempt to fall back to using SSL 3.0 with an SSL 3.0 ClientHello in SSL v2 format to maximize the likelihood of successfully handshaking with older servers.[6] Support for SSL v2 (and weak 40-bit and 56-bit ciphers) has been removed completely from Opera as of version 9.5.[7] -- Henry Photocopies or faxes of my signature are not binding. This email has been signed with an electronic signature in accordance with subsection 7(3) of the Electronic Communications Act 2000. Digital Key Signature: GPG RSA 0xFB447AA1 Wed Dec 31 15:15:29 GMT 2008
Attachment:
signature.asc
Description: Digital signature
-- The Mailing List for the Devon & Cornwall LUG http://mailman.dclug.org.uk/listinfo/list FAQ: http://www.dcglug.org.uk/linux_adm/list-faq.html