I was ironic about changing the field in the LE Root certificate. I don’t think this is even possible or viable. But as I understand, because the LE Root has Name Constraints set up, all other Certificates that follow will need that the LE Root explicit Allow things. My point is that a resolution from LE side is way more difficult…
Sure. But as noted, it appears that blank fields should be considered as wild card (i.e. allow all, deny .mil). It may be the case that an explicit wild card is required for XP.
I haven’t dug into the link you sent in detail, nor have the ability to attempt to model an explicit wild card cert. Might be worth someone giving it a shot.
it isnt in the LE root and not in the IdenTrust root as well.
simply said it is the intermediate, which is below the root and can be changed easily enough if needed, provided IdenTrust would sign that.
I found this .htaccess code byJiří Zralý
(medhi on Github):
It has worked in my case
the xp sp3 machine next to me is not redirecting to https
the 7 pro machine I’m on redirects in chrome,firefox, and ie11
That’s a good solution for filtering your users as long as the SSL isn’t required for keeping the information secure.
Another tip is to direct Google to the http:// page as the page’s canonical address, even for SSL URLs. This way, Google lists the non-SSL page in its results and any clicks are upgraded to SSL as required. Again, not very useful for sites using HSTS or for transmitting credit card details, etc but good enough for a brochureware site.
I dont think IEXP does HSTS in the first place, not forgetting thatunless a site is visited via HTTPS AND trusted, HSTS wont enable.
@jackpixley you might consider also redirecting firefox even on XP since firefox does its own security and should have no problem whatsoever in LE certs.
@ both of you:
be advised that this is susceptible to MITM, because of the flash of HTTP at the start.
Also, google penalizes sites that arent https
So back to topic…
There are good news:
Certificate Compatibility with Windows XP
ETA: Before March 22, 2016
A bug in Windows XP causes parsing of our current cross-signature
from IdenTrust to fail. We will be correcting this by getting new
cross-signatures from IdenTrust which work on Windows XP.
can’t wait! this will improve adoption rates for sure
Awesome news @rugk
Any details about the new CA cert? Should I start the renewal process ?
We’ll post when it’s ready. It’ll be soon, but we probably won’t quite hit the estimated date of March 22.
Do you have any ETA? So, is it like early April, middle April, early May, what?
Thank you for letting us know.
I would say probably early April.
I don’t know if this requires a whole key signing ceremony et cetera, but could this be an opportunity to get an cross-signed ECDSA intermediate?
I thínk it wouldn’t be possible, as there probably won’t be a new private key generated, but one can always ask, right?
I waiting for this fix, we have around 20 computers with win XP and Chrome with this bug.
With WinXP + Firefox is working normally
I’m afraid you’re correct. This won’t move up the date for an ECDSA intermediate. We’ll be using the same intermediate key, but with a new cert that has a new Subject and lacks the nameConstraints.
Yes bro, in firefox with windows XP SP3 work normally!
well depending whether firefox works with SP2 t could even work there. even with EC.
point is that unlike most other browsers Firefox does its own encryption etc. so even if the system is way too old, Firefox could access high-security HTTPS Pages.