We last discussed SSLv2 support on internet-exposed web servers about a year ago, when we discovered that there were still about 450 thousand web servers that supported this protocol left on the internet[1]. We also found that a significant portion of these servers was located in Kazakhstan, Tunisia and in the U.S.[2]

Since we are now less than a year from the 30th birthday of the SSL 2.0 protocol, I thought it might be interesting to revisit this topic and take a look at how the situation has changed over the past 12 months. As before, we will mostly use data gathered from Shodan using my TriOp tool to do so.

At first glance, it might seem that both the percentage of web servers supporting the aforementioned protocol, as well as the absolute number of them, have continued to decrease at a reasonable rate…

Nevertheless, a closer look shows, that although the trendlines still show a decreasing trend in the past twelve months, at this point in time, there seem to be only a slightly lower percentage of web servers that support SSL 2.0 than there were a year ago (0.319% twelve months ago vs. 0.307% now), and the overall number of servers seems to have actually  increased (from approximately 464 thousand a year ago to 492 thousand now).

This seems to have been caused by a steady increase in detections of SSLv2-enabled servers by Shodan in the past three months, and we can’t be certain whether this reflects the real state of affairs (i.e., if there are more servers that support SSL 2.0 than there were a year ago), or whether this is the result of improved detection capabilities on Shodan’s part (i.e., if Shodan sees “more” of what there actually is than it did a year ago).

In any case, as we mentioned before, the overall downwards trend seems to be holding, and the percentages are getting better.

This is also supported by the latest statistics from Qualys SSL Labs[3], which show that the service has only detected SSLv2 being supported on 171 sites (0.1% of all servers) it scanned in the course of May 2024, which is significantly lower than what we saw last year (248 sites/0.2% of all scanned servers).

To sum up, the trend of leaving the long-deprecated SSL 2.0 behind us is continuing, even if it has slowed down somewhat in the last year. Nevertheless, the fact that we still have between 450 and 500 thousand web servers on the internet, which support this protocol, is potentially problematic.

The issue is not really with the fact that SSL 2.0 is being supported by the servers, since probably no modern browser is even capable of using this protocol (at least, not in a default configuration), but it lies it the fact that if a server does still support this protocol, it is probably significantly outdated, and, thus, most likely, vulnerable.

Though, this is, of course, just the tip of the proverbial iceberg, when it comes to the larger technical debt that we, as a modern society, have created for ourselves, and which might come back to bite us at some point in the future…

[1] https://isc.sans.edu/diary/After+28+years+SSLv2+is+still+not+gone+from+the+internet+but+were+getting+there/29908
[2] https://isc.sans.edu/diary/Kazakhstan+the+worlds+last+SSLv2+superpower+and+a+country+with+potentially+vulnerable+lastmile+internet+infrastructure/29988
[3] https://www.ssllabs.com/ssl-pulse/

-----------
Jan Kopriva
@jk0pr | LinkedIn
Nettles Consulting