Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?

会有一股神秘感。 提交于 2019-12-05 19:12:13

Modern browsers either don't appear to support SSLv2 at all (Google Chrome, Opera 9.52, Firefox) or have it disabled by default (IE7, IE8).

That said, are you concerned about losing business from people using much-less-than-modern web browsers?

Possibly more importantly, are you concerned about your customers' security? Even if they can only connect using SSLv2, do you want them performing secure transactions with you using a protocol that is known to be insecure (see Google)?

As a computer professional, I would not hesitate to recommend to management that SSLv2 be disabled. I would leave it up to the bean counters to determine whether they think the additional income is worth the potential liability.

No. The number of users with support for SSLv2 at all, much less SSLv2 only, is negligible. It has been obsolete since 1996, and is disabled or not even included in all modern browsers of significance.

Only you can really answer that question. Your customers' experience of your site will be mediated by their browser. The first place to look for browser information is at a listing of the user-agents that are being used to access your website. Hopefully you have a good log analyzer such as Analog, Weblog, Google Analytics, WebTrends, etc. This is the first place to look and should give you a good idea of the SSL level that your general community supports.

You may also want to alter your application to check for the SSL level supported by your users' browsers that get to the "complete ecommerce transaction" part of your website. This is the best method to determine if you are turning away customers.

Remember that the SSL level is auto negotiated between the server and the client (best encryption used first) so you don't necessarily need to disable older versions, but you could pop up a message to the user encouraging them to upgrade.

Presumably you use SSL to protect users from man-in-the-middle or other attacks, yes? SSLv2 is useless for this. Disable it -- the number of users who use a browser without SSLv3 or TLS support is vanishingly small, and it's easier to make them somebody else's problem than explain why somebody in Nigeria is using their credit card.

标签
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!