Let's Encrypt compatibility with Windows XP


#1

Continuing the discussion from [Help needed] Windows XP support:

For the sake of novices, could you add a clarification here as to whether “not compatible” merely means lockless (insecure) or does it mean the website will not render on the visitor’s screen at all? Thanks.


#2

The quote is a very specific answer to a very specific question:

If you use the Certbot client (formerly known as “Let’s Encrypt”), and if you tell it update Apache or Nginx’s configuration, it will disable a number of insecure and obsolete cryptography and protocol settings, making the website incompatible with certain old clients, including IE 6 on Windows XP, which is archaic and insecure.

If you do those things, and choose to be compatible with those clients, you would have to spend 1 minute making further adjustments to the web server configuration.

When you choose to have Certbot adjust the web server configuration, it uses the “Intermediate compatibility” settings from Mozilla’s configuration guide. You would have to change it to the “Old backward compatibility” settings, or another similar configuration.

https://wiki.mozilla.org/Security/Server_Side_TLS

Mainly, you would want or need to enable a few insecure settings.

Since the browser doesn’t support SNI, you would also have to make sure the IP address’s default – or only – certificate includes all necessary names. (Fortunately, Let’s Encrypt makes that easy!)

My understanding is that third-party browsers, like Chrome and Firefox, have more modern TLS implementations than Internet Explorer 6, and can probably connect to websites using a normal configuration. They remain insecure and obsolete, though. (Edit: On Windows XP.)

Edit:

I forgot to answer your second question.

If the browser only supports Insecure Options A, B and C, and the web server only enables Secure Options X, Y and Z, the user would usually receive a vague error page about ‘protocol errors’ or ‘cipher overlap’ problems, and they would be unable to do anything about it, except upgrading to a secure browser.

If the web server requires SNI, but otherwise has everything insecure enabled, the user would probably receive a normal ‘domain name doesn’t match’ error page, which they can probably override.


#3

Thank you very much for the response; I’ve read that Certbot hasn’t been known as letsencrypt since May 2016, but rather is a client to facilitate easy installation of ACME compatible such as Let’s Encrypt certificates.

Presumably many novices will install LE SSL using Certbot on shared hosting plans and have no clue about manually configuring their hosting server to handle obsolete systems like Windows XP.

It’s just too bad that that will result in an inaccessibility to web pages rather than merely a warning or an open lock symbol showing the page is insecure. Traffic by Win XP is under 1%, but such users are typically elderly or poor with very small traffic. Which is why, as a percentage of users they are estimated to be many times higher percentage than their share of traffic. They aren’t worth much profit-wise, but they still constitute in total a very large number of people being left out.

Beside those with lack of money (and know-how to switch to Linux), there are some people who simply want to very occasionally access old hardware that only works attached to a Win XP machine, or discover they want to retrieve a file on an old machine, and then webmail to themselves to receive the files.

I don’t have experience with any of them, but Skygee Nov. 1, 2017 suggested the browsers Comodo Ice Dragon, Slimjet, Whitehat Aviator, and SRWare Iron still worked with Win XP.


#4

The last version of Chrome that worked on XP and the current Firefox ESR should be fine with the intermediate or modern configuration.

Internet Explorer 8 is fine with the intermediate configuration, but it requires 3DES which some recent Linux distribution releases have dropped (e.g. Debian Stretch).


#5

@blue88

It’s also too bad that necessary computer security is held back by things that have been obsolete for almost 20 years. We live in a world of shoddy engineering where a networked computer can get compromised if it hasn’t had security updates in 1 hour, and human civilization is likely going to be destroyed by some rando playing with a Windows XP virus.


#6

In fairness, it wasn’t even released 20 years ago (came out in 2001), it’s successor wasn’t released until 2007, and it’s last update was in 2009 with extended support (monthly security updates) ending in 2014.

But I digress - Windows XP should no longer be in use. While I sympathize with the notion that low-income and technologically illiterate users may be holding out with their old XP systems, this is an infrastructure where catering to that demographic necessarily reduces security for everyone else.


#7

And the crazy thing is that it is even possible to use Opera 10.10 on Windows 95 to access “Intermediate” configured sites. On my test VM it does require 3 refreshes but once I get it connected I can access all my servers just fine.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.