SSL (and TLS)
Friday 22nd December, 2006 19:25 Comments: 0
For Internet Explorer 7, the default HTTPS protocol settings was changed to disable the weaker SSLv2 protocol and to enable the stronger TLSv1 protocol (IE6 users can manually configure these stronger settings by using Internet Explorer?s Tools | Internet Options | Advanced menu). By default, IE7 users will negotiate HTTPS connections using SSLv3 or TLSv1. Generally, IE users will not notice any difference in the user-experience due to this change; it?s a silent improvement in security. Microsoft's research indicates that there are only a handful of sites left on the Internet that require SSLv2. Adding support for SSLv3 or TLSv1 to a website is generally a simple configuration change.
So it came as quite a surprise to read on The Register that BT broadband customers are unable to change their password if they've upgraded to the latest web browser versions. The browsers refuse to connect to what they consider to be an insecure version of SSL which the site is using. Attempting to visit BT's password changing site using IE 7 just gives a blank page, while Firefox 2 offers some explanation: Firefox can't connect securely to register.btinternet.com because the site uses an older, insecure, version of the SSL protocol. Opera 9 is the most helpful, with instructions on how to enable the insecure protocol. BT appeared unaware of the problem when we spoke to them, but has now said it's working on a fix. Funnily enough, register.btinternet.com was specifically mentioned to the Mozilla team back in 2002 for only supporting SSLv2. I guess they haven't updated their servers much in the last 4 years?
Developed by Netscape, a stable SSLv3 was released over a decade ago in November 1996, which later served as the basis for TLS version 1.0. The TLS Protocol Version 1.0 was published in 1999 and Version 1.1 was published earlier this year. I was glad to see that IE7 disabled SSLv2 support by default, bringing it in line with Opera and Mozilla (who, I think, both removed support over a year ago), as SSLv2 is cryptographically weak. People really should be using SSLv3 or TLS by now.
So it came as quite a surprise to read on The Register that BT broadband customers are unable to change their password if they've upgraded to the latest web browser versions. The browsers refuse to connect to what they consider to be an insecure version of SSL which the site is using. Attempting to visit BT's password changing site using IE 7 just gives a blank page, while Firefox 2 offers some explanation: Firefox can't connect securely to register.btinternet.com because the site uses an older, insecure, version of the SSL protocol. Opera 9 is the most helpful, with instructions on how to enable the insecure protocol. BT appeared unaware of the problem when we spoke to them, but has now said it's working on a fix. Funnily enough, register.btinternet.com was specifically mentioned to the Mozilla team back in 2002 for only supporting SSLv2. I guess they haven't updated their servers much in the last 4 years?
Developed by Netscape, a stable SSLv3 was released over a decade ago in November 1996, which later served as the basis for TLS version 1.0. The TLS Protocol Version 1.0 was published in 1999 and Version 1.1 was published earlier this year. I was glad to see that IE7 disabled SSLv2 support by default, bringing it in line with Opera and Mozilla (who, I think, both removed support over a year ago), as SSLv2 is cryptographically weak. People really should be using SSLv3 or TLS by now.