This article is from the Secure Sockets Layer Discussion List FAQ, by Shannon Appel SAppel@consensus.com with numerous contributions by others.
1. SSL 2.0 is vulnerable to a "man-in-the-middle" attack. An
active attacker can invisibly edit the list of ciphersuite
preferences in the hello messages to invisibly force both client and
server to use 40-bit encryption. SSL 3.0 defends against this
attack by having the last handshake message include a hash of all
the previous handshake messages.
2. SSL 2.0 uses a weak MAC construction, although post-encryption
seems to stop attacks. This is fixed in 3.0.
3. SSL 2.0 feeds padding bytes into the MAC in block cipher modes,
but leaves the padding-length field unauthenticated, which could
allow active attackers to delete bytes from the end of messages.
This, too, is fixed in 3.0.
4. In SSL 3.0, the Message Authentication Hash uses a full 128 bits
of keying material, even when using an Export cipher. In SSL 2.0,
Message Authentication used only 40 bits when using an Export
1. In SSL 2.0, the client can only initiate a handshake at the
beginning of the connection. In 3.0, the client can initiate a
handshake routine, even in the middle of an open session. A server
can request that the client start a new handshake. Thus, the
parties can change the algorithms and keys used whenever they want.
2. SSL 3.0 allows the server and client to send chains of
certificates. This allows organizations to use a certificate
hierarchy that is more than two certifications deep.
3. SSL 3.0 has a generalized key exchange protocol. It allows
Diffie-Hellman and Fortezza key exchanges and non-RSA certificates.
4. SSL 3.0 allows for record compression and decompression.
1. SSL 3.0 can recognize an SSL 2.0 client hello and fall back to
SSL 2.0. An SSL 3.0 client can also generate an SSL 2.0 client
hello with the version set to SSL 3.0, so SSL 3.0 servers will
continue the handshake in SSL 3.0, and SSL 2.0 server will cause the
client to fall back to SSL 2.0.
1. SSL 3.0 separates the transport of data from the message layer.
In 2.0, each packet contained only one handshake message. In 3.0, a
record may contain part of a message, a whole message, or several
messages. This requires different logic to process packets into
handshake messages. Therefore, the formatting of the packets had to
be completely changed.
2. Cipher specifications, handshake messages, and other constants