Despite the enormous success of SSL for securing web traffic, there has been little technical change in the way that SSL is used for secure HTTP in the ten years since SSL version 3 was introduced. Although it has been around since 1996, most browsers have continued to make connections compatible with the older SSL version 2 protocol. But now the major browser developers are aiming to drop SSL v2 completely; export-grade encryption ciphers are also to be dropped.
SSL version 2 was supported by Netscape 1.0, back in 1994, and it was made obsolete by SSL version 3, published in 1996. But while SSL version 3 was soon widely supported — and over 97% of HTTPS sites also support its successor, TLS — most browsers have continued to make SSL-v2-compatible connections, in order to stay compatible.
The Mozilla project first suggested disabling support for SSL v2 a year ago, and now also plan to drop weak ciphers. Internet Explorer 7 will disable support for SSL v2, and IE on Windows Vista will not support weak ciphers. And Opera version 9 will disable SSL v2 and weak ciphers.
Up until a year ago, when developers began talking about dropping SSL v2, there were still significant numbers of sites that only supported SSL v2. But server operators have got the message now. Out of the top 20,000 SSL sites (as ranked by users of the Netcraft Toolbar), only 20 sites (0.1%) require SSL version 2. This is reflected across the wider survey, with around 0.1% of sites requiring SSL v2.
Weak ciphers used to be commonplace, due to the export restrictions on strong cryptography from the US. In January 2000, Netcraft found that more than 40% of sites outside of the US were offering only weak encryption ciphers. Since then, however, this has become rare; on the one hand, relaxed export regulations mean that new products can include strong ciphers by default, while on the other, practical attacks against the weaker ciphers mean that they have been considered unsafe for many years. Out of the 20,000 top SSL sites, Netcraft's SSL survey found less than 40 (0.2%) which could only negotiate a weak cipher (here defined as one with a key length of less than 128 bits). Again this was consistent across the whole survey, with only around 0.2% out of all valid SSL sites negotiating a weak cipher.
Netcraft's SSL survey has been running since 1996. It tracks the growing use of secure web servers on the Internet, and the server software, operating systems and certificates that are used. Single user and company subscriptions are available, and custom datasets can be produced on request.
Posted by Colin Phipps in Security
Your link here? Advertising on the Netcraft Blog