SSL v2 is not the only old encryption capability that is no longer supported by Opera 9.5, also known as Kestrel. We have also removed support for 40 and 56-bit encryption. Like SSL v2 these methods have been disabled by default since v9.0
There are several reasons for this move:
- 40 and 56-bit encryption methods are "soooooooo" last century. These methods were defined as a way for US based browser vendors to be able to distribute their SSL enabled client outside the US. The reason this was necessary is that the US government and several allies defined (and I believe still define) encryption as a weapon, but it was possible to get permission to export software that only supported 40 bit encryption (and later 56 bit) and that included a couple of other restrictions (there was an exception for financial services). The reason for the limitations was, presumably, that the intelligence communities of these countries had the technology needed to break these keys. In 1999/2000 the restrictions were partially lifted, at least for mass market products like browsers and email clients.
- 40 and 56-bit methods are dismally weak given today's technology. In mid-1998 56-bit DES was broken in less than a 56 hours, this was reduced to 24 hours less than half a year later. Given today's technology I expect that the same can be done in less than 30 minutes with enough hardware. And 40-bit can probably be broken in less than a second. What this means is that these methods no longer provide any protection at all.
- Any server that only supports these methods is more than 8 years old, which means the actual security of the server, even ignoring the lack of encryption strength, is …. questionable. To top it off, a number of Certificate Authorities sell "SGC" certificates that will permit most US produced and exported servers (and clients) to enable 128 bit encryption. These certificates were originally reserved financial institutions, but after the crypto export restrictions were lifted they have become available to all.
While I believe servers that only support 40/56 bit encryption are a bit more common, in absolute numbers (perhaps a few thousand), than SSL v2 servers, I can't remember hearing about any such sites for over a year, despite the fact the the methods have been disabled by default about that long in several browsers. That indicates that the servers are not visited by a lot of people, if any. I think it is time to signal quite clearly to the sites that may be left that the technology they are using is obsolete.
If you do encounter a "secure" site that require 40 or 56 bit encryption, what can you do? Well, I don't recommend it, but you can go back to Opera 9.2x and enable the weak ciphers. But before you do, perhaps you should ask the system administrator this question: "Why are you running the site with 8 year old software?"
Scipio: If a server does not support any of the enabled/supported encryption methods then it is not possible to establish a connection and you get a TLS error page (fatal error 40).
So, what happens when someone visits a website on such a server is that data is tranferred without any encryption at all rather than with weak encryption?
40-bit, 60-bit, and SSLv2 are so weak you might as well just use http anyways, because your data is about as secure. Don’t give yourself a false sense of security.
Thanks for the explanation, I didn’t know what would happen in those cases. Reading my question I realized it might have been read as a suggestive question (disapproving of this change in Opera Kestrel) but it wasn’t meant that way.
Windows Vista disables use of 40 and 56 bit crypto in SChannel, so IE7 on Vista doesn’t support those weak encryptions either. http://blogs.msdn.com/ie/archive/2006/03/15/552246.aspx
Actually, Windows Vista IE7 can support ssl 2.0. You have to checkmark it (to enable it) under advanced settings. There are still several thousands (maybe more) corporate firewall sites based on Novell Border Manager. If your workstation (within the above corporate site) does not have Novell client, then, you will have to enable this setting in your browser in order for you to go thru Border’s form-based authentication.If you do not enable ssl 2.0 on the browser, then, you can not access the border login webpage… which then means that your corporate user can not surf the internet.