8

XP support was dropped by MS on April 8 2014, almost two years ago, but there are still many people who use XP for internet surfing.

Also, there are still many sites like Google or Facebook who offer SSLv3 and similar stuff to support XP. However, if we would drop XP we would have a much better security. We could use:

  • ECC
  • SHA2 certs (well yeah, XPSP3 fixed theat one, but too many XP users still have SP2)
  • TLSv1.2
  • AES
  • HSTS
  • HPKP
  • SNI, probably one of the most important aspects of shared HTTPS hosting.

We have a pretty similar situation with older Android (<4.0) but unlike for XP we have actual numbers of the active androids in the Internet by Google and their number is just 3.2%, where we could almost ignore them.

And the most significant point is that everyone who really wants to be on this old system can use Firefox which offers all the nice Security features, and still does XP and most old Android versions (Froyo is an exception).

So let's get to the point:

In light of all that, is it already "safe" to drop XP support (and old Android along with it) from HTTPS sites to give better security? Especially seeing that browser vendors are going to mark even more vulnerabilities out day by day. Should we wait, and if yes, until when?

D.W.
  • 98,860
  • 33
  • 271
  • 588
My1
  • 394
  • 2
  • 12
  • 13
    The only statistics that should matter when deciding support for XP on your site is the one that's collected from your own site. Look into ways to collect data about how many users are still using these browsers to visit your site from their User Agent header and measure how many users are still using SSL3 in your site. – Lie Ryan Jan 18 '16 at 14:19
  • 17
    "stupidly" is a bit of a harsh judgement for a product line where upgrades require money and have increasing hardware requirements. – Jon Bentley Jan 18 '16 at 14:23
  • 4
    in a sense of security it is stupid, and said problems can be migitated by using firefox which is entirely free. – My1 Jan 18 '16 at 14:35
  • 2
    also using XP for internet is a bad decision in every aspect because they are more vulnerable than ever now that MS has dropped updates for almost 2 years and software vendors started to drop XP. using badly secured devices can be bad for a server too because people can learn decisive data out of it (for example login data) if it is badly encrypted. – My1 Jan 18 '16 at 14:38
  • The security of modern clients only suffers from offering weak ciphersuites/protocol versions if they're vulnerable to downgrade attacks. – CodesInChaos Jan 18 '16 at 14:44
  • the modern clients may not be affected, but a bad user can get data from an MITM and the attacker might use that for whatever purpose – My1 Jan 18 '16 at 14:49
  • 1
    For many, it seems stupid to still be running Windows XP. However, most people that still run Windows XP, are power users (i.e. the type of users that know which sites to visit and which not). One example of them is grc.com's Steve Gibson. They stay on WinXP because Win7/8.1/10 contains to much bloatware, in their opinion. PS: Note that WinXP isn't necessarily vulnerable. Some patches have come out for WinXP and WinXP Embeded (which could be installed on WinXP through a registry hack). – BlueCacti Jan 18 '16 at 16:49
  • 7
    There are also people who stupidly drive a car from 1996 event though brand new ones offer so much more safety and features! :-) – MonkeyZeus Jan 18 '16 at 17:54
  • @GroundZero But won't power users who know what they do often take a *totally* different way to continue using their beloved hardware and for security concerns replace their XP with something else haven en x in it? – Hagen von Eitzen Jan 18 '16 at 20:08
  • @GroundZero but the security of XP in case of HTTPS is affected since it only uses old and unsecure security for HTTPS. essentially it isnt exactly about dropping XP as an OS, but dropping the weak security protocols which could be MITM'ed and that is bad, also do the embedded updates give the clients a better HTTPS? I doubt it, and if bad security is dropped FF is a way, since the only good major browser supported on XP is FF. – My1 Jan 19 '16 at 07:59
  • @MonkeyZeus but it's not just the features in case of old cars they are also bad for the environment... – My1 Jan 19 '16 at 08:07
  • @My1 You're right in that the SSL ciphers on XP are outdated and potentially insecure. The reason that FF still works on XP is because it uses its own crypto-engine instead of relying on that of the OS. As such it can provide secure HTTPS connections that aren't affected by XP's outdated cipher suites etc. – BlueCacti Jan 19 '16 at 11:02
  • @My1 (1) Tell that to Volkswagen... (2) So people should also be restricted from owning '60s and '70s Camaros, Mustangs, GTOs, and new-age Hummers, Ferraris, Bugattis, Denalis, etc...? (3) Please buy me a new one so that I can help the environment. – MonkeyZeus Jan 19 '16 at 13:47
  • @MonkeyZeus In Germany there are so called "Umwelt-Zonen" (envorinmental zones) where only cars with a certification (on the front window, usually already included) may drive in, so the concept already exists. – My1 Jan 19 '16 at 13:54
  • 1
    Related: [Can serving HTTPS to IE/XP be made secure?](https://security.stackexchange.com/questions/82066/can-serving-https-to-internet-explorer-on-windows-xp-be-made-secure) – Damian Yerrick Feb 14 '16 at 23:11

3 Answers3

11

Depends entirely on specific sites. I suspect that a lot of sites with known audiences have already started dropping support for XP specific fixes - sites dedicated to OSX software, for example, probably get negligible XP using traffic. They may well have decided that they would rather have better security than worry about the few users who use XP.

On the other hand, sites like Facebook probably still see quite a lot of XP users, especially from countries where upgrading computers is prohibitively expensive. Dropping all support would instantly lose those users, which Facebook might not consider worthwhile.

It essentially comes down to a business decision though, rather than a security decision. If your business feels it is worth supporting these users, it will keep doing so. If not, it may drop the support.

For your own site, it's entirely safe to drop XP compatibility features. You might lose some users, but there isn't anything to stop you.

Matthew
  • 27,263
  • 7
  • 89
  • 101
  • 2
    @My1 You really should be looking at traffic logs for your own sites to determine how many of your users are on XP. However the major web statistics tracking companies, [Net Market Share](https://netmarketshare.com/), and [Stats Counter](http://gs.statcounter.com/) both attempt to give aggregate numbers for the internet as a whole. The two sites use different methodologies (the details are another question entirely), but broadly speaking NetMarketShare gives more weight to light users and those in the developing world, while StatsCounter is dominated by heavy users in the US/EU. – Dan Is Fiddling By Firelight Jan 18 '16 at 15:28
  • the problem is, we cannot really see the browser per OS, so I would love to see how the browser spread looks for XP only where probably firefox looks better than chrome because FF uses less ram and chrome isnt even supported on XP anymore, and IE pages, well look shit, to say it bluntly. – My1 Jan 19 '16 at 11:07
  • Consider using some JS based stats package - Google Analytics will certainly show OS as well as specific browser, and would give you the information you need. Any data from other sites is likely to be misleading - the vast majority of sites have a distinct pattern of users, and a corresponding pattern of software in use. – Matthew Jan 19 '16 at 11:10
5

The only way to decide if you are willing to lose the users with XP on your site, is to find out how much of them there are.

Start to collect statistics on that. Then you have something to decide on.

If you decide to increase security and drop XP support, based on that numbers, you can also show big information banners with guides how to install another browser to the people still using XP on your site before you cut them off.

Josef
  • 5,933
  • 26
  • 34
  • You either parse the user-agent header on your server and return the overlay if an old browser is detected or do the same client-side using javascript. Look at [this](https://browser-update.org/en/) or [PHP](https://github.com/cbschuld/Browser.php) or [js](https://hgoebl.github.io/mobile-detect.js/) for inspiration. – Josef Jan 18 '16 at 16:10
  • @Josef Or both, to ensure it will show for those few people who do inadvertently do User Agent spoofing (there are some people / local proxy "security" programs that do this) or use a rubbish proxy. – wizzwizz4 Jan 18 '16 at 18:56
2

As other said, start by measuring the statistics, the most relevant the better. By relevant I mean "representative for your users", so I'd consider js-based analytics a bit more relevant than webserver log statistics if your site is meant to be used by humans and the reverse if you have some web APIs that you encourage people to use.

Then take those statistics and have a discussion with your superiors if the affected users are worth holding back security fixes. If you have any competitors, see what they did. If in the end they consider these users as being too relevant to drop, try to push for a campaign to make those users upgrade (by detecting their user-agent or negotiated TLS parameters and displaying some warning).

Note that it's basically impossible to detect the user-agent before the TLS handshake (since if their browser isn't able to negotiate a TLS session it will show a client-side error, they won't reach your application), so all these measures should be done before implementing the changes to your TLS listener.

rpetre
  • 21
  • 2
  • is it possible to throw them into a transparent reverse proxy with a different cert, crypto etc when they say that the only do SSL3 or TLS1 (based on client hello, so server hasnt done much yet)? which will then tell the users to update? – My1 Jan 19 '16 at 08:03