Important changes to Internet Security Infrastructure affect users of Windows XP
- AuthorAndrew Gray
Here's a timely reminder that the Internet is in fact a creation of scientists and engineers and that these #saintsofourmodernage are passionately committed to ensuring that their creation out-lives us all. Sometimes that means that things needs to be torn down and replaced.
There are big changes happening across the internet - these relate to the way in which secure connections are established (and how servers use digital certificates to prove that they are legitimate).
Dropping Support for SSL3.0 (affects users of IE6)
In order to establish a secure connection between your browser and a web server the two first need to negotiate an approved method that they can both support. In days past is was often a protocol call SSL (Secure Sockets Layer) that was agreed on, but that was replaced by a newer protocol called TLS (Transport Layer Security).
Problems have recently been identified with SSL which has resulted in many companies, including Google, deciding to drop the protocol and to establish secure connections only using TLS. Most browsers are capable of both SSL and TLS so the elimination of SSL as an option is not going to cause any problem – unless you are using an old browser like Internet Explorer IE6.
IE6 was released in 2001, it does not support TLS so people still using that browser are soon going to find it impossible to establish secure connections with most websites. Very few people still use IE6 but those that do will still be able to browse most websites, they just wont be able to connect to a secure server (so they wont be able to login or use any other feature that requires a secure connection).
IE6 won't be able to reach secure areas or use features that require https:// security, any attempt will fail not just on our sites but on most others. This is just another reason not to be using IE6.
Dropping Support for SHA-1 (affects some Users of XP)
SHA is a critical component of Internet security. It provides a means of checking that large blocks of data have not been interfered with while in transit which is particularly important for transfer of crypto certificates issued by Certificate Authorities across the world.
Chrome will soon start displaying warnings when presented with digital certificates that rely on SHA-1 so website owners are rushing to get their certificates renewed with SHA-2.
All this sounds benign good sense, but there is one fly in the ointment: Windows XP only supports SHA-2 if Service Pack 3 (SP3) has been installed.
If you are still using XP with SP1 or SP2 your browser will reject digital certificates that rely on SHA-2 which means that you wont be able to reach secure areas or use features that require https:// security - any attempt will fail not just on our sites but on most others. This is just another reason to ensure that you upgrade from XP (or at least make sure that you install SP3).
Test Secure Connections on Your Own Server
If you are responsible for a site that requires secure connections, you can test to see if it handles these connections in the best possible way - visit https://www.ssllabs.com/ssltest/analyze.html. Our own server is ranked as "A" class - for more information download the full test report for secure.conscious.co.uk