TLSv1.2+ requirement, old browsers

[avij]

This message concerns the security protocols used for HTTPS connections: SSL and TLS. EBT has been using HTTPS exclusively for three years now, so all of you are using HTTPS for entering your notes nowadays. If this message sounds too technical to you, click the link at the bottom of the message and see if it says "Safe".

A few years back we had to disable an old security protocol, SSLv3.

Now we're approaching the next step, disabling SSLv3's successors TLSv1.0 and TLSv1.1. They too have some weaknesses, which have been dealt with in newer revisions of the specification (TLSv1.2 and TLSv1.3). This change is currently not urgent, but this will need to be taken care of at some point. Note that various other websites have already set a requirement for at least TLSv1.2, and this trend is likely to continue this year for other websites.

Most modern browsers and operating systems already support at least TLSv1.2. TLSv1.2 specifications were published in August 2008, so about 12 years ago.

I have been logging the TLS versions used for a few days now, and the following browsers / devices may be affected:

• Android phones / tablets using Android 4.2.2/4.4.2:
  • Samsung Galaxy Tab 2
  • Samsung Galaxy Tab 3
  • Samsung Galaxy S3 Neo
  • Samsung Galaxy Trend Plus
  • Hannstar Tablet
• Windows XP using MS Internet Explorer 7 or 8, or an ancient version of Firefox

The newest of these devices are from 2015 or so, some are older than that. If you are affected, my primary recommendation is to start looking for a replacement device, maybe as a Christmas present for yourself (there's no need to wait until end of the year, though).

If you are wondering if your device is affected, head over to https://michaelspice.net/ssltest/ and make sure the output says either "Safe, your browser supports TLS 1.2" or "Safe, your browser supports TLS 1.3". If you can't connect at all, your browser/operating system may not support TLS 1.2 or TLS 1.3.

Unless other factors require an earlier retirement of TLSv1.0 and TLSv1.1, I would expect to disable TLSv1.0 and TLSv1.1 by the end of the year. When this happens, you will no longer be able to access EBT or the forum with the affected devices or browsers.

[avij]

EBT will now show a warning at login if the user has logged in using an affected device or a browser in the last seven days:

WARNING You recently logged in using a device or a browser that uses an outdated security protocol TLSv1.0 or TLSv1.1. EBT and many other websites will soon require at least TLSv1.2. You may soon not be able to browse the website or enter notes with that device or browser unless you update your device or browser to a more modern one. Please see the forum for more information. Your latest connection using TLSv1.0 or TLSv1.1: 2020-09-19 Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; GTB6; BTRS124610; .NET CLR 1.0.3705; .NET CLR 2.0.50727; .NET CLR 1.1.4322; Media Center PC 4.0; InfoPath.2; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; OfficeLiveConnector.1.5; OfficeLivePatch.1.3; .NET4.0C; .NET4.0E)

Note that the notice is per user, not per connection. For example, if you logged on to EBT from an old phone using TLSv1.0 yesterday and from an up-to-date desktop computer using TLSv1.2 today, you get the notice on both logins. The browser identification string may be cryptic, but it may allow others to help you in figuring out what kind of device you are using to access EBT and what options you may have to rectify the situation.

If you are getting a message similar to the above and don't quite know what to do, please post here and we'll try to help you.

For MSIE 8 and above on Windows 7 or 8, it may be possible to enable TLSv1.2 using these instructions. In case you can't access the page, I have copied the instructions here. MSIE 7 users may be able to update to MSIE 8, but that won't help if you are using Windows Vista or XP. Switching to Firefox or Chrome may also help.

For Android devices (phones and tablets), first check if there is an operating system update available. It may be that your device is no longer supported and no longer receives updates, but this option is worth checking in any case.

[avij]

This change has now been made. TLSv1.2 (or newer) is required from now on.