Jump to content

Wikipedia to Drop Internet Explorer 8 (IE8) Support on October 17 - Use Firefox 52 ESR


sdfox7

Recommended Posts

I occasionally use Internet Explorer 8 to test what sites still work with it. Today I was researching Silverlight history, and was greeted with a recommendation/advice to discontinue using Internet Explorer 8. Wikipedia is advising all Windows XP users to migrate to Firefox 52 ESR. It displays the warning in over 15 different languages.

"We are removing support for the legacy 3DES cryptographic cipher, which your browser software relies on to connect to our sites. This is usually caused by using Internet Explorer on Windows XP, but could also be caused by other ancient browsers or user agents, or could be interference from corporate or personal "Web Security" software which actually downgrades connection security.

For now, you can try reloading the page again to continue, but we'll be removing support for these insecure connections completely by October 17, 2017 (2017-10-17), which will block your access to our sites if you haven't upgraded in time.

See also the HTTPS Browser Recommendations page on Wikitech for more-detailed information."

There is no direct link for the page Wikipedia redirected me to, but I pasted it into MS Word so you can view the graphics/text as they appeared on the page: http://sdfox7.com/xp/files/Your Browser.doc

Also see: Wikipedia: HTTPS/Browser Recommendations

wiki_ie8.jpg

wiki_ssl.jpg

 

Edited by sdfox7
additional info
Link to comment
Share on other sites


@heinoganda

Good points. As I said in my post, I use it to test for legacy compatibility. But IE 8 has probably been dead for the last five years or so, and no one should be using it for banking, etc. Many pages now have a block if you attempt to use it. For example:

https://services.secure.bankofamerica.com/home-equity/status/browser-upgrade.go

https://www.capitalone.com/misc/browser/block.html

https://online.citi.com/US/JPS/portal/BrowserExclude.do

https://www.youtube.com/supported_browsers?next_url=%2F

Link to comment
Share on other sites

It's possible and harmless to spoof IE8 as IE9. However, pretending to be IE10 or, worse, IE11 leads to cripled funcionality.

Quote

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
"Version"="MSIE 9.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Version Vector]
"IE"="9.0000"

The above .reg does it. Remember it's mandatory to put two (or more) blank lines at the end of the .reg file, though.

Link to comment
Share on other sites

29 minutes ago, dencorso said:

Remember it's mandatory to put two (or more) blank lines at the end of the .reg file, though.

Hey den, please remind me why this is true, and if it's necessary any time you use a reg file.  I'm afraid I've forgotten.  Curse of old age and all.  I know you don't suffer from that. LOL  TIA

Cheers and Regards

Link to comment
Share on other sites

To be true, I don't know why, either. But since at least Win 95 times (= REGEDIT4) up to this day, there must be a pair of blank lines at the end of any .reg file.  I think some, if not all, such files may be interpreted wrongly if ended by just one blank line or none. But I don't remember ever having done it, personally (i. e. failed to put the two blank lines). Perhaps jaclaz can tell us why.

Link to comment
Share on other sites

ss64.com says:

Note the registry file should contain a blank line at the bottom of the file.

and that's all I've found with an extremely short search. :) Maybe the rule is that you MUST include a blank line, (or at least a carriage return?), so that the REG file is handled correctly no matter how it is evoked, and it ignores multiple blank lines, so it's safer to put too many rather than not enough? But you're right.  jaclaz will set us straight.

Cheers and Regards

Link to comment
Share on other sites

1 hour ago, bphlpt said:

Maybe the rule is that you MUST include a blank line, (or at least a carriage return?), so that the REG file is handled correctly no matter how it is evoked, and it ignores multiple blank lines, so it's safer to put too many rather than not enough? But you're right.  jaclaz will set us straight.

Cheers and Regards

jaclaz in this particular case has very little to say, if not that "blank lines" do not exist :w00t::ph34r:,

A single blank line has been "tradition", but two of them never were AFAICT.

The good MS guys were not able to put their act together, see:

https://support.microsoft.com/en-us/help/310516/how-to-add--modify--or-delete-registry-subkeys-and-values-by-using-a

and:

https://msdn.microsoft.com/en-us/library/ms954395.aspx

Quote

Blank line identifies the beginning of a new registry path. (Each individual key or subkey is a new registry path.) When you export a key, the .reg file displays a blank line before each key or subkey. If you have multiple keys in your .reg file, blank lines can help you examine and troubleshoot the contents. (Microsoft's instructions state that the blank line is necessary. However, when I create .reg files and inadvertently forget the blank lines, the files still merge successfully.)

(but that is probably related to "interstitial" blank lines)

This info comes NOT from MS:

http://www.windowsnetworking.com/kbase/WindowsTips/WindowsNT/RegistryTips/Registry/Understanding.REGfiles.html

Quote

The last character in a .REG file needs to be a carrage control. Just insert a blank line and press enter and then save the .REG file. 

Which says everything and the contrary of it. 

Inserting a "blank line" :w00t: and pressing enter actually means nothing, when you press Enter the last two characters in the file are CR+LF.

In DOS/Windows that is ASCII 13 10 or 0xDA 0xD0 where the 13 is a Carriage Return and the 10 is a Line Feed, carrage control simply does not exist.

And of course there is no such thing as a "blank line", the cursor in a text editor simply goes to a new line when you press Enter, you need to press Enter two times to get what appears as a blank line.

A blank line is then a CR+LF pair, and the CR+LF pair is obtained in text processor by pressing Enter (twice).

Maybe better said, a blank line is *nothing* inserted after a CR+LF and before another CR+LF.
 

So the question is:

1) do the last 2 characters need to be CR+LF?

OR

2) do the last 4 characters need to be CR+LF CR+LF?

Maybe it is here that the issue begins, personally I would never (by habit) leave the cursor at the end of a line in (say) Notepad, I would always go to new line by pressing enter before saving.

So I am in the habit of pressing Enter one more time (i.e. creating a single "pseudo-blank line") and save when it comes to .reg files.

People in the habit of not issuing the "first" Enter keypress may call that "two blank lines" :unsure: instead of "press Enter two times" or "make sure that there are two CR+LF pairs at the end of the file" or "make sure that in a hex heditor the last four characters are 0D0A0D0A" (if Unicode,0D000A000D000A00) ,

 

Only a speculation, but maybe (as often happens) the info that a "blank line" identifies the beginning of *whatever* is false, and it identifies instead the end of the *whatever*.

 

And now, for no apparent reason:

https://superuser.com/questions/931648/regedit-exe-import-fails-to-pick-up-text-field

https://answers.microsoft.com/en-us/windows/forum/windows_7-performance/regedit-import-issue-error-contains-carriage/6fda9d97-ae83-4d8f-b683-1f9aba9f5b2d

http://reboot.pro/topic/18355-importing-a-string-type-reg-key-which-has-a-new-line/

jaclaz

Edited by jaclaz
Link to comment
Share on other sites

Making a new post to separate it from the CR+LF "blank line" issue.

I can access on XP (SP2, yes I know about SP3):

https://en.wikipedia.org/wiki/Microsoft_Silverlight_version_history

just fine with both Opera (12.17, and yes, I know about 12.18) and with QTweb, without getting the page that sdfox found.

So, *whatever* it is, at first sight it seems only some (gratuitious) Firefox sponsoring aimed to IE users. :w00t::ph34r:.

jaclaz

Link to comment
Share on other sites

What I think of the upcoming Firefox versions, simple censorship!

https://blog.mozilla.org/blog/2017/08/08/mozilla-information-trust-initiative-building-movement-fight-misinformation-online/

http://www.businessinsider.de/mozilla-new-initiative-counter-fake-news-2017-8?r=US&IR=T

http://www.naturalnews.com/2017-08-14-firefox-browsers-will-soon-block-fake-news-flagged-by-george-soros-linked-left-wing-groups.html

For one, I think the other web browser to follow, on the other hand here is a freedom right restricted the free information procurement!
Therefore, any older web browser should save versions for itself!

:)

Link to comment
Share on other sites

TL;DR, if for some rather unfathomable reason you still really really really want to use IE8 to browse the web (NOT RECOMMENDED, as already stated by several people above), you won't necessarily be locked out from Wikipedia just yet if (like probably most people here) you have installed POSReady 2009 update KB3055973 or, preferably, its successive security fix KB3081320,

These updates install TLS 1.0 cipher suites AES128-SHA (TLS_RSA_WITH_AES_128_CBC_SHA) and AES256-SHA (TLS_RSA_WITH_AES_256_CBC_SHA), the former of which is and will remain supported by Wikimedia sites for now. However, Wikimedia makes it pretty clear that this isn't going to last very long:

Quote

The remaining 3DES cipher we support is specifically DES-CBC3-SHA. This is one of only two non-forward-secret ciphers that remain supported (the other being, for now, AES128-SHA), and eventually achieving 100% forward secrecy is an important goal that helps increase long term security for all users.

See also the "The end is coming regardless" section at the end of that page.

Apparently, AES128-SHA currently averages about 0.22% of their requests vs DES-CBC3-SHA-s 0.11%. As for its removal:

Quote

Current informal analysis indicates that the overwhelming majority of the 0.25% (and declining) of our requests which use this cipher are not from outdated user agents, but rather due to outdated and/or mis-configured outbound corporate TLS proxies which actively downgrade the connection security of modern clients behind them.

Quote

Realistically, I don't see us starting a 3-month countdown on this until somewhere in the early half of 2018. There's no definite planned dates yet, in any case. By then the stats will be even lower (they're still slowly but consistently dropping off naturally).

 

Edited by mixit
Link to comment
Share on other sites

@jaclaz

The Silverlight article does indeed load on Windows XP with Internet Explorer 8.

I think the reason I received the message the first time was due to a combination of user agent sniffing and possibly even IP address. Wikipedia logs IP addresses when article edits are made to prevent vandalism, so they may also log IP address from machines that perform searches.

Since I already received the message, it's likely my computer now has a cookie that will prevent it from reappearing; or at least Wikipedia will not serve the notice again since they have logged my IP as already receiving the message.

wikisilv.jpg

Link to comment
Share on other sites

10 hours ago, jaclaz said:

2) do the last 4 characters need to be CR+LF CR+LF?

I've Always understood the "two blank lines" as being the same as "CR;LF;CR;LF".
My own rationale here is: one "CR;LF" ends the last line. The second "CR;LF" shows there's no next line.
There is a parallel in C matrixes of strings: a 0x00 ends each string. When followed by another 0x00, it indicates the matrix has ended.
The  VS_VERSION_INFO structure used by MS executables is an example of such a "double-zero" terminated matrix.
Of course, these are my personal musings prompted by @bphlpt's question and @jaclaz's reply, so I can provide no reference for them.

Link to comment
Share on other sites

On 9/14/2017 at 2:36 PM, sdfox7 said:

I occasionally use Internet Explorer 8 to test what sites still work with it. Today I was researching Silverlight history, and was greeted with a recommendation/advice to discontinue using Internet Explorer 8. Wikipedia is advising all Windows XP users to migrate to Firefox 52 ESR. It displays the warning in over 15 different languages.

"We are removing support for the legacy 3DES cryptographic cipher, which your browser software relies on to connect to our sites. This is usually caused by using Internet Explorer on Windows XP, but could also be caused by other ancient browsers or user agents, or could be interference from corporate or personal "Web Security" software which actually downgrades connection security.

For now, you can try reloading the page again to continue, but we'll be removing support for these insecure connections completely by October 17, 2017 (2017-10-17), which will block your access to our sites if you haven't upgraded in time.

Personally, I think Wikipedia is over-reacting a bit. Certainly, 3DES isn't as secure as AES, but AFAIK cracking it still requires guessing about 108 random bits. (A 3DES key is 168 bits, but around 60 of those bits can be figured out without having to guess them.) AES requires guessing at least 128 bits, so cracking it is at least a million times harder, but even with today's more powerful hardware, 108 bits is plenty of security.

Edit: Come to think of it, the problem with 3DES may not be the key size, but rather the fact that it only encrypts 64 bits at a time. With enough data, this could allow an attacker to exploit the "birthday paradox" to find accidental collisions (different 64-bit blocks that happen to encrypt to the same value), and work backwards to reduce the number of key bits that need to be guessed. With AES, 128 bits are encrypted at once, so the odds of such a collision leaking info about the key are extremely remote. So maybe Wikipedia is being prudent after all.

In any case, there's probably not much point in using IE8 anyway, unless you're browsing sites that use IE-specific tech like ActiveX (I still run into a few of those on occasion). But if you're determined to do so, you can use ProxHTTPSProxy with IE8 to provide modern, more secure ciphers. With ProxHTTPSProxy, Wikipedia comes up fine in IE8 with no security warning. (He can correct me if I'm wrong, but I believe @Heinoganda has updated ProxHTTPSProxy with a newer OpenSSL version that closes even more security holes.)

Edit 2: BTW, from their warning about security flaws, I can see that Wikipedia doesn't know about the POSReady hack for Windows XP ;)

Edited by Mathwiz
See text
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...