Secure browsing like it's 1995
By Audun Mathias Øygardamoygardopera. Thursday, March 17, 2011 1:41:47 PM
For background, SSL 2.0 as a security protocol was obsolete already in 1996. That's fifteen (15) years ago. Opera stopped supporting SSL 2.0 in 9.0 and physically removed the code for it from 9.5. Internet Explorer, Firefox and Chrome still support it, but you'll have to enable it manually, and both Firefox and Chrome have hidden the options for enabling it. SSL 2.0 is simply not a secure protocol anymore. Granted, some of the servers supporting SSL 2.0 will give a friendly warning that you shouldn't use SSL 2.0. Still, wouldn't it be easier to just not support SSL 2.0 in the first place?
Presumably focusing on exactly this issue, IETF just released an RFC that prohibits TLS clients and servers from offering a SSL 2.0 connection for backwards compatibility.
Another problem we discovered is that most sites still support weak ciphers, that is, ciphers with 40 or 56 bits encryption. Weak ciphers are also a remnant of the nineties and were removed from all browsers around 2000/2001, when it was proven that the encryption was possible to break within 24 hours with the right hardware. With today's hardware it would probably be feasible to break this encryption within minutes.
There are no known vulnerabilities if sites support weak ciphers or SSL 2.0 in addition to SSL 3.0 and TLS 1.x, as long as the client only supports strong ciphers and SSL 3.0 or higher. It may create possibilities for downgrade attacks, however, for instance if users have misconfigured their browser.
To be fair, the reason that sites still support old standards might be default configurations of the servers, not a conscious choice by those setting up the sites. Isn't it time to disable it by default in Apache webservers, just to mention one?
In other news, while we could not see any servers that only supported SSL 2.0, we did see a couple of servers that only supported SSL 3.0, altogether 1% of all secure servers. Please note that we reported a higher number, 1.6%, a few months ago. This was due to an error in the way we tested for TLS 1.0—some servers chose SSL 3.0 instead. The proper number is and was 1%. Many of these sites appear to be outdated or abandoned, but some seem to be up and running. We even saw a few banks, as usual. Time to update those servers, folks?
From old standards to new standards, here's the status for renegotiation patching as of this week:
We've reached 50% (or actually 50.8%), and most major server vendors have now released patches with the Renegotiation Indication Extension.
The breakdown per vendors looks as follows:
The vendors we know of that have not released patches yet are mostly frontends, such as SSL accelerators and load-balancers. One of the few we know the name of, because such frontends seldom identify themselves, is F5/Big-IP. We also had a look at which sites were patched. We expected the well-known sites (Alexa top 100) to be mostly patched by now, while many smaller sites, which might be less maintained, were not patched. However, large sites seem just as likely to not be patched! In fact, several well-known sites, such as Facebook and Yahoo!, have not yet patched their servers. Some banking sites, as reported by Kai Engert, haven't even disabled renegotiation, and are, therefore, fully vulnerable to an MITM attack! It seems there is still some way to go ...
- SSL 2.0 is still supported on around 63% of TLS/SSL servers, even though SSL 2.0 is an insecure and outdated encryption protocol.
- Weak ciphers are still supported on around 63.8% of TLS/SSL servers, even though weak ciphers are relatively easy to crack.
- 50% of all TLS/SSL servers have now implemented the Renegotiation Indication Extension which patches the TLS Renegotiation vulnerability reported over a year ago.
Any reasons you can come up with for still supporting SSL 2.0 or weak ciphers? Is it time for browsers to stop supporting SSL 3.0? Anything you'd like us to check on the status of the SSL/TLS servers worldwide? Let us know in the comments!