“Murray explained that these weak servers either support only
the flawed SSLv2 protocol, use weak encryption, or have expired or
self-signed digital certificates.”
“‘These weaknesses make the transactions that are protected by
these servers easy to attack with modern key-cracking and/or
hacking attacks,’ said Murray, who added that there is no good
reason for sites not to address the problems he has
highlighted.
“There is no technical or legal reason to limit secure servers
to using only SSLv2, since SSLv3, which corrects known weaknesses,
is available. Since US export regulations were relaxed in January
to allow the export of 128bit cryptographic products, there is also
no reason to support only 40bit cipher suites or 512bit RSA
keys.”