Go Back   Home > Forums > >
Home Forums Rules Articles diyAudio Store Blogs Gallery Wiki Register Donations FAQ Calendar Search Today's Posts Mark Forums Read

Forum Problems If there is a forum related problem please leave a message here so an Admin will see it.

Official bug reporting thread
Official bug reporting thread
Please consider donating to help us continue to serve you.

Ads on/off / Custom Title / More PMs / More album space / Advanced printing & mass image saving
Reply
 
Thread Tools Search this Thread
Old 14th September 2018, 06:15 PM   #41
Mooly is offline Mooly  United Kingdom
diyAudio Moderator
 
Mooly's Avatar
 
Join Date: Sep 2007
Official bug reporting thread
Another user is reporting similar behaviour and is using XP. The screen shot images Osvaldo is seeing look the same as those from George. Browser is Google Chrome. XP Pro 2002 Service Pack 3

Bad viewing DIYa?
Attached Images
File Type: jpg FP.JPG (57.9 KB, 60 views)
  Reply With Quote
Old 14th September 2018, 11:29 PM   #42
Jason is offline Jason  Australia
:)
diyAudio Administrator
 
Jason's Avatar
 
Join Date: Oct 2000
Location: Melbourne
Official bug reporting thread
Ok... have spent an hour researching this now.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH is the key error.

The problem is that Windows XP doesn't support any modern ciphers or SNI. I just looked at our stats, and 1.6% of visits to diyAudio are from WindowsXP.

Windows XP End of Support

Quote:
After 12 years, support for Windows XP ended April 8, 2014. Microsoft will no longer provide security updates or technical support for the Windows XP operating system.

PCs running Windows XP after April 8, 2014, are not considered secure.
It's possible for us to downgrade and open up insecure Ciphers, but this then appears to break many more modern browsers due to some SSL/Cipher incompatibilities. I've been unable to activate SSLv3 with XP compatible Ciphers, while not breaking other things.

I may ask for a SSL expert to assist and see if there is a workaround but I've tried a half dozen recommended ssl_protocols / ssl_ciphers combinations now, then testing with SSLLabs). So, we have a choice between breaking the security of the site for 1.6% of visitors, and having a buggy and insecure end-of-life Microsoft OS work for those computers. It's a tough one, but I think I'm going to pull the plug on WindowsXP. The workarounds to support it are to the detriment of modern browsers.

Average time to infection: 4 minutes - TechBlog

It takes an average of 4 minutes for a fresh WindowsXP computer connected to the internet to become infected by Malware, which is less time than it takes to download the latest security patches. That article was from 2008, I assume it's much quicker now. It's a mess, I suggest we draw a line in the sand. If you can give me any good reason why anyone in 2018 should be using WindowsXP, let me know. The internet has changed, it's much more dangerous than it was a decade ago. Running Windows XP you are literally asking for malware and cryptolockers to ruin your day. If I can find a workaround, I'll implement it though, no problem.

I'm confused about why you can access the site at all, but it's possible that once we switch to true SSL only (next week), diyaudio.com will be completely inaccessible from an incompatible browser.

More information about why we need to block SSLv3: Disable SSLv3

Last edited by Jason; 14th September 2018 at 11:46 PM.
  Reply With Quote
Old 15th September 2018, 12:52 AM   #43
PRR is offline PRR  United States
diyAudio Member
 
PRR's Avatar
 
Join Date: Jun 2003
Location: Maine USA
Quote:
Originally Posted by Jason View Post
...It takes an average of 4 minutes for a fresh WindowsXP computer connected to the internet to become infected by Malware, which is less time than it takes to download the latest security patches. That article was from 2008, I assume it's much quicker now. ....
No. I DO recall those days. Even behind firewalls it was brutal setting-up a machine.

But by the end of XP's life that particular (XP-specific) malware was nearly extinct as 90++% of its hosts got protection or became Vista and Win7 (or linux...).

I an very trailing-edge. But I took all my XP machines off-line 2 years ago.

WinXP browsing seems to have fallen below 2% globally last year. Your 1.6% observation is right along that trend. XP still has large share in a few parts of the world. I could see supporting it if the fix is easy. But if the core is no longer secure against modern malware, and XP's end-time is past, I can't see doing a lot of shoveling to keep it going.
  Reply With Quote
Old 15th September 2018, 01:00 AM   #44
Jason is offline Jason  Australia
:)
diyAudio Administrator
 
Jason's Avatar
 
Join Date: Oct 2000
Location: Melbourne
Official bug reporting thread
I have done some Googling, and can't seem to find a definitive answer, but it points towards both FireFox and Chrome having a working TLS1.2 version before they ended support for XP. So if the fix is "Use Chrome or Firefox instead of IE on XP", and it means you can still use XP, then I think that's a suitable work around.

FireFox: Important - Firefox has ended support for Windows XP and Vista | Firefox Help, with mention of last version being 52.9.0esr, which is available here: Directory Listing: /pub/firefox/releases/52.9.0esr/

Last edited by Jason; 15th September 2018 at 01:03 AM.
  Reply With Quote
Old 15th September 2018, 03:25 AM   #45
Dude111 is offline Dude111
diyAudio Member
 
Join Date: Apr 2013
Jason is it possible for you to use NO BROWSER LEFT BEHIND by cloudfare? (That would allow ANY BROWSER on XP to connect (There wouldnt be any errors))

Heres info on that: http://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/
  Reply With Quote
Old 15th September 2018, 03:40 AM   #46
Jason is offline Jason  Australia
:)
diyAudio Administrator
 
Jason's Avatar
 
Join Date: Oct 2000
Location: Melbourne
Official bug reporting thread
Good find Donny. That's a great service I didn't know about. We do use Cloudflare for DNS, but don't currently use Cloudflare for our dynamic content. Moving to a paid Cloudflare plan just for this would be no problem (it's not offered on their free plan), but configuring cloudflare to correctly cache (and not cache) our dynamic content is not on the cards currently due to the (perceived, expected) complexities involved in creating rulesets. Might not be that hard, I just haven't had any reason to pursue that to date and we're fine with caching all static content. I'll add investigating this to my todo list. Thanks for the tip.
  Reply With Quote
Old 15th September 2018, 03:42 AM   #47
Dude111 is offline Dude111
diyAudio Member
 
Join Date: Apr 2013
Your welcome my friend,this is a GOOD site
  Reply With Quote
Old 15th September 2018, 03:49 AM   #48
Jason is offline Jason  Australia
:)
diyAudio Administrator
 
Jason's Avatar
 
Join Date: Oct 2000
Location: Melbourne
Official bug reporting thread
I've just had a look and the setup process appears to be non-trivial, with some mods required and will probably increase latency for dynamic pages to the 98.4% of people who don't need this. I'll investigate further as time allows.

In the meantime, the recommended fix for XP is to use FireFox: Directory Listing: /pub/firefox/releases/52.9.0esr/
  Reply With Quote
Old 15th September 2018, 03:58 AM   #49
Jason is offline Jason  Australia
:)
diyAudio Administrator
 
Jason's Avatar
 
Join Date: Oct 2000
Location: Melbourne
Official bug reporting thread
Quote:
Originally Posted by gpapag View Post
Hello.
The last two-three days, when I enter the site through a Win XP computer
Can you try this? I've now enabled TSL1.0 but I can't tell if that's going to work with <IE9+XP.

https://warwick.ac.uk/services/its/s...lp/enable-tls/
  1. In Internet Explorer 6, go to Tools > Internet Options.
  2. Select the Advanced tab.
  3. Scroll down to the Security section. (It's at the bottom of the list of settings.)
  4. Select the checkbox Use TLS 1.0
  5. Click apply, then OK

Again, strongly suggest you switch to Firefox, if nothing else but for your own safety.
Attached Images
File Type: png select-tls-checkbox.png (44.1 KB, 45 views)

Last edited by Jason; 15th September 2018 at 04:12 AM.
  Reply With Quote
Old 15th September 2018, 05:46 AM   #50
wintermute is offline wintermute  Australia
just another
diyAudio Moderator
 
wintermute's Avatar
 
Join Date: Aug 2003
Location: Sydney
Official bug reporting thread
The wonderful world of Windows XP ssl Good to see it is down to 1.6% That means that finally it will be possible to do ssl virtual hosts without wildcard certs!! I ran into that problem about 8 years ago. Worked fine on Windows 7, but not XP (and it was an OS level thing). At that time there was still a staggeringly high percentage of windows XP browsers out there.

Even TLS1.0 is now regarded as unsafe. It won't be long before the recommendation is to turn off all but TLS1.2 The last few years has been a nightmare at work with request after request from the risk team to turn off SSL versions, TLS versions, old cyphers, etc. We had some funny situations where we were told we had to turn off pretty much ALL of the things on the webserver and we said, but if we do that we might as well just shut down the site completely! I think we were running apache 2.0 and it didn't support the only version that risk said we were allowed to run.

The funny thing is, some of the vulnerabilities do not put the server at risk at all. It is really only the client that is at risk, but the recommendation is to disable the stuff to protect those who don't know how (or want to) protect themselves.

So I guess the balance point is if there is no risk to the site enabling something, and only the end user is at risk, do you take the stance of well I won't let them view it because it might force them to fix their end, or do you take the stance, Well I'm not at risk, if they choose to put themselves at risk then that is their business.

It's a brave new world out there!!

Tony.
__________________
Any intelligence I may appear to have is purely artificial!
Some of my photos
  Reply With Quote

Reply


Official bug reporting threadHide this!Advertise here!
Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Reporting an abuse caused Thread Close? jkeny Everything Else 6 20th April 2008 06:50 AM


New To Site? Need Help?

All times are GMT. The time now is 03:47 PM.


Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2018 DragonByte Technologies Ltd.
Resources saved on this page: MySQL 14.29%
vBulletin Optimisation provided by vB Optimise (Pro) - vBulletin Mods & Addons Copyright © 2018 DragonByte Technologies Ltd.
Copyright ©1999-2018 diyAudio
Wiki