Web Browser Developers Work Together on Security
Adam’s post earlier today on efforts to improve browser security, reminded me about this post on KDE.news. George Staikos hosted a meeting of developers from Opera, IE, Mozilla/Firefox and Konqueror with an aim towards improving browser security across the board. Of particular interest to me in light of my intro post, were these two lines:
1) “Prompted by Opera, we are moving towards the removal of SSLv2 from our browsers. IE will disable SSLv2 in version 7 and it has been completely removed in the KDE 4 source tree already.”
2) “KDE will furthermore look to remove 40 and 56 bit ciphers, and we will continually work toward preferring and enforcing stronger ciphers as testing shows that site compatibility is not adversely affected.”
Kudos, to all involved. It’s great to see some serious effort being made in this direction.
Part 2) above is security theatre, but Part 1) above is critical.
Removing SSL v2 from browsers (at least turning it off by default) is absolutely critical because of flaws in the way TLS (SSL v3) and SSL v2 interact. Basically if you start in SSL v2 you end up locked out of the advanced domain features of TLS. In TLS there is an ability to specify which domain you want in the HELLO message. This means the server is capable of sending you the correct certificate, and therefore can handle multiple domains on one port/IP.
The configuration and allocation of IP numbers for each secure webserver has been a big barrier to deployment of TLS in browsing – this then means that only the few, the well heeled applications can afford to use TLS which has made it rare (I run my blog shared with 3 other applications, and it is very annoying to users). This then means that users aren’t accustomed to TLS, tools don’t expect it and phishing is easy.
One big impact on phishing is to move many many more webservers over to TLS. Then Trustbar and Petname will work much better. It’s a tortured chain, I know, but we have to identify these barriers and knock them down. That’s one of the really important messages coming out of that meeting of the browser manufacturers.
Next step: Apache and IIS: do they support multiple certificates as yet? Last I heard, no.
BTW, there is a flaw in the comment script, it won’t let me enter a HTTPS URL. Just one of many bugs in the TLS deployment…