Quick ssl question

[flamewalker]

Not sure if this is the right place... but heres the situation:

We have a customer who has a shopping cart and is using a third party to check our "security" and it is failing because we still have ssl 2.0 enabled. We have root certificates and certs and all that and we are concerned that if we disable 2.0 (leaving ssl 3 available), it might disable or disrupt our certificates which would be a bad thing cause none of the shopping carts will work...

So, what are the potentials of problems to disabling ssl 2.0? Is it 100% safe, with existing root certificates and customer certificates?

Thanks!

(PS if this is the wrong area a mod can feel free to move it!)

 

[DJ]

hm, difficult to say really. i would not state it will be 100% safe, but if i remember correctly, both microsoft and mozilla have dropped support for ssl 2.0 in their latest browsers. (http://developer.mozilla.org/en/docs/Security_in_Firefox_2 & http://blogs.msdn.com/ie/archive/20...lance-between-security-and-compatibility.aspx)

from the msdn blog:

SSL 2.0 deprecated

One place we faced a tough decision was with SSL 2.0. Contrary to what we expected, SSL 2.0 is still in use on a number of web servers around the world. The problem is that if a site chooses to use SSL 2.0 an attacker could decrypt a transaction between IE and a SSL 2.0 web server. We’ve never heard any reports of SSL 2.0 sites or users being exploited but we decided to keep SSL 2.0 disabled in IE7 to protect users from that threat. When we did hear of web servers running SSL 2.0, we contacted server administrators about upgrading to newer servers.

It’s important that your web server admin upgrade from SSL 2.0 if you haven’t already. If for some reason you still need to use SSL 2.0, you can ask your users to re-enable SSL 2.0 on the advanced tab of the Internet options control panel.