5

Answers to Why is HTTPS not the default protocol? state that a lot of sites still use clear HTTP instead of HTTPS because all of these are true:

  • A substantial number of visitors to the site use Internet Explorer 6, 7, or 8 for Windows XP (IE/XP).
  • IE/XP can see only the first certificate on port 443 of a given IP address because it uses Windows XP's TLS library, which lacks support for Server Name Indication (SNI). (Chrome and Firefox on Windows XP use different TLS libraries that support SNI.)
  • The site shares an IPv4 address with another HTTPS site because it can't afford an increasingly scarce dedicated IPv4 address.

However, as of April 2014, extended support for IE/XP and the rest of Windows XP has ended. This means there are defects in IE/XP that Microsoft will no longer fix. A malicious actor could install unwanted software by exploiting a zero-day vulnerability resulting from one of these defects, which would defeat the confidentiality purpose of HTTPS in either of two ways:

  • A keylogger could capture all payment credentials, such as credit card numbers and Amazon or PayPal passwords, that an IE/XP user enters into HTTPS sites.
  • A proxy and certificate authority running on the local machine could perform a man-in-the-middle (MITM) attack on all the user's HTTPS connections.

What factors should a website's operator weigh when determining whether to continue to attempt to serve secure pages to IE/XP users? Are there any overwhelming arguments as of the first quarter of 2015 for accommodating or blocking IE/XP on a secure site?

Damian Yerrick
  • 562
  • 3
  • 15
  • Because of the other SSL compatibility issues with XP, I get the sense that it's rapidly diminishing as a factor for web site support. But that's a sense rather than a factually supported answer :) – gowenfawr Feb 19 '15 at 16:48
  • 4
    If your users are still using IE on XP, they have bigger security issues than the weak TLS implementation. If you are running a highly critical website, you may want to redirect these users to install Firefox. Firefox uses its own TLS implementation so it can support additional features that may not available in the OS's TLS. – Lie Ryan Feb 19 '15 at 17:00
  • 2
    XP also only supports TLS 1.0, and only with RC4 (bad), DES (bad), or 3DES (suboptimal). – cpast Feb 19 '15 at 18:30
  • Call your local mortuary and look into the cost of cremation vs. burial, Windows XP is dead on the security front. As with IE 4 backwards compatibility back in the day, web developers across the board ceasing to support old, dead browser combinations is the quickest way of moving users into more secure environments. We didn't need to keep fluent in browser display hacks then, we shouldn't be accommodating browser/OS combinations that leave our customers vulnerable now. – Fiasco Labs Feb 19 '15 at 23:58
  • You're asking the wrong question. It's not about how Windows XP can be made secure -- it can't. The question is, would you rather that people using Windows XP use your site with possible security issues, or don't use your site. If you're a bank, you might decide to go for the former option, but most people will go for the latter in order to keep their users. – Mike Scott Feb 20 '15 at 07:18
  • @MikeScott That's what I meant by "What factors should a website's operator weigh": when to go with one or the other option and why. – Damian Yerrick Feb 21 '15 at 19:14

3 Answers3

3

Fast answer

No!

Acceptable workaround

Even an HTTPS connection from IE or Windows XP can't be considered as secured by a normal and even a skilled user. It was a known weak combination long before Microsoft announced its support deadline.

Hence I would suggest a 2 steps approach for a webserver architect.

  1. Detect the referer, and if it is IE any version or XP any version, redirect client toward a web page indicating that you identified he is connecting from a computing environmnet which is known as unsecure. Clearly assert you can't be hold responsible for any spy upon his connection which might occur at the level of his computer and his choosen software.

  2. Ask him if he accepts the risk involved and want to proceed with an insecure connection even with the infamous small lock which might be displayed, even with your server URL starting with https:// and even with the high grade certificates you installed on your web server. Upon explicit agreement from the user, redirect him toward the core of your webserver through HTTPS. Upon disagreement, congratulate him for making a good choice and hope to see him back soon within an environment of full trust.

This will be a correct communication informing your customers and at the same time offering them a chance to brain storm and improve, one day, their security :).

dan
  • 3,043
  • 14
  • 35
1

basically daniel Azuelos has a pretty solid answer but I want to expand a bit upon that.

IE on XP is for many reasons obviously not a good Idea, but first and foremost, unless someone can have IE6 on XP SP3 you can at least throw that thing out of the window and any XP which does not have SP3 cannot be HTTPS'ed in the first place with a publicly trusted cert because any Publicly trusted CA has to use SHA2 (SHA-256, SHA-384 or SHA-512) for quite a while now, which only works on SP3 of XP.

so in short:

  • XP SP2 or lower cannot be becured by public certificates although if those XP computers are in your control (like company-internal computers) you can use a custom CA to get them working
  • XP SP3 can be made at least a bit secure using 3DES and an RSA certificate
  • for anything which needs to be safer than a bit (especially anything that involves handling of highly personal data or money, I think XP isnt a good Idea.

so what can you do:

  • if your users usually arrive at the domain by typing it in, check the headers and if there is something that says clearly enough that it is SP3 or a different browser (specifically firefox since it can run pretty secure from an HTTPS standpoint, as it does its own HTTPS implementation) then redirect the user to HTTPS
  • otherwise if you cannot be sure about which XP Service pack the user has and he isnt using firefox or maybe chrome (I didnt try that) stay on HTTP give the user an inttersitial explaining that he can click through to an HTTPS page although it will not work when he doesnt have XP Service Pack 3 or at least a proper browser.
  • also one thing that can be done is to let EVERY XP user on the intersitial, and let them agree that they use their unsecure computer to browse the website.
  • when an XP user gets through to HTTPS, keep that user constantly reminded (e.g. with a nice little bar at the top) that stuff that happens on this site cannot be made very secure along with an infolink explaining everything as simple as possible on why that is, even if he has a browser like firefox which can handle HTTPS securely, that things like malware have an easy play on XP and therefore anything he types on this computer can be compromised with ease.
  • also if the user has IE6 or 7 make it clear that IE6 is a bad browser (well IE8 is also not really good but IE6 or 7 are worse) and give them info to upgrade to IE8, or even better, give them links to browsers that can work a lot better in general on XP (like firefox)
    • This isnt just from a security aspect but from a Webdesign aspect as well. Internet Explorer 8 is the only IE on XP that even remotely supports the webstandards in a half-proper fashion. sure, a lot is missing, but you probably need way less IE-Specific hacks on IE8 than on IE6 or 7.
My1
  • 394
  • 2
  • 12
1

I would suggest that as Windows XP is now out of support (apart from organisations that have purchased extended support from Microsoft) that for most sites it would be reasonable to cease supporting it.

However to weigh this up, it's really a site-by-site consideration. Key factors could include

  1. What percentage of users of the site currently use Windows XP/IE 6 (this should be available from web server logs, monitoring software)
  2. Is there a specific reason why users of the site cannot upgrade to a more recent operating system/browser combination (e.g. in some cases specific applications only work with specific browser/OS combinations)
  3. Is there a commercial reason why the site operator has to provide support for all potential users (e.g. contractual requirements)
  4. What sort of business is transacted by the site. As mentioned in comments Windows XP/IE 6 is a known vulnerable combination now, so for example an online banking application might take a risk decision to cut off users who are unwilling or unable to upgrade to reduce potential fraud losses.
  5. What costs / consequenes are there for the site for maintaining compatibility with IE 6 /Windows XP (for example inability to roll-out SNI, or inability to upgrade server-side software to versions that don't support that combination)
Rory McCune
  • 61,541
  • 14
  • 140
  • 221
  • well even IE8 the latest XP IE has a lot of major problems like staying on TLS1 and not supporting AES. – My1 Feb 15 '16 at 09:33