Lockpad not working on old mobile phones

And with this tool:
https://chainchecker.certifytheweb.com/

2 Likes

What i can do If they don’t want to help me, they don’t care

What i can do? Nothing :disappointed:

Ask them for full control of your http/https web server.

And if they won't do that switch hosting provider, here is Netcraft's Most Reliable Hosting Company Sites in June 2022

2 Likes

OR
Switch to a better Hosting Service Provider (HSP).

3 Likes

But at least the is the "Latest Version!", is say so right on the box. Any they wouldn't lie about a thing like that. :rofl:

1 Like

Yet it seems they are using SSL 3, TLS 1.0, TLS 1.1, TLS 1.2, and NOT TLS 1.3

2 Likes

I think I will stop paying them hosting! They don’t deserve. Only domain. Why to pay hosting if Blogger giving for free, and many other platforms. Famous Blogger I have connected to subdomain b.sasamilivojev.com
Free Teletype I have connected for FREE Russian domain миливоев.я.рус , and another Tumblr to domain сашамиливоев.мир.рус and they don’t have problems with certificates :crossed_fingers:

3 Likes

I think I will stop paying them hosting! They don’t deserve. Only domain. Why to pay hosting if Blogger giving for free, and many other platforms. Famous Blogger I have connected to subdomain b.sasamilivojev.com
Free Teletype I have connected for FREE Russian domain миливоев.я.рус , and another Tumblr to domain сашамиливоев.мир.рус and they don’t have problems with certificates :crossed_fingers:

1 Like

What they need to do? To add also tls v.1.3 ?

Remove SSL 3, TLS v1.0, TLS v1.1
adding TLS v1.3 would be very nice.

2 Likes
 ./testssl.sh https://www.sasamilivojev.com/


###########################################################
    testssl.sh       3.1dev from https://testssl.sh/dev/
    (88e80d2 2022-07-02 22:13:06)

      This program is free software. Distribution and
             modification under GPLv2 permitted.
      USAGE w/o ANY WARRANTY. USE IT AT YOUR OWN RISK!

       Please file bugs @ https://testssl.sh/bugs/

###########################################################

 Using "LibreSSL 3.5.2" [~72 ciphers]
 on e6430-i5:/usr/bin/openssl
 (built: "date not available", platform: "information not available")


 Start 2022-07-20 17:30:17        -->> 77.105.36.83:443 (www.sasamilivojev.com) <<--

 rDNS (77.105.36.83):    plesk13.orion.rs.
 Service detected:       HTTP


 Testing protocols via sockets except NPN+ALPN

 SSLv2      not offered (OK)
 **SSLv3      offered (NOT ok)**
 TLS 1      offered (deprecated)
 TLS 1.1    offered (deprecated)
 TLS 1.2    offered (OK)
 TLS 1.3    not offered and downgraded to a weaker protocol
 NPN/SPDY   Local problem: /usr/bin/openssl doesn't support NPN/SPDY
 ALPN/HTTP2 not offered

 Testing cipher categories

 NULL ciphers (no encryption)                      not offered (OK)
 Anonymous NULL Ciphers (no authentication)        not offered (OK)
 Export ciphers (w/o ADH+NULL)                     not offered (OK)
 **LOW: 64 Bit + DES, RC[2,4], MD5 (w/o export)      offered (NOT ok)**
 Triple DES Ciphers / IDEA                         offered
 Obsoleted CBC ciphers (AES, ARIA etc.)            offered
 Strong encryption (AEAD ciphers) with no FS       offered (OK)
 Forward Secrecy strong encryption (AEAD ciphers)  offered (OK)
2 Likes

I sent them screenshot - this conversation, advice, and link, to follow, to learn! I don’t know they will do something or not, but not having lockpad on older mobile phones is very very bad. Millions and millions of people still using older Android phones, and they are getting notification that their informations can be stolen and passwords and atm cards. Shame!

2 Likes

This is the first tool they should use, in my opinion, SSL Server Test (Powered by Qualys SSL Labs)

3 Likes

Yes, it is a shame. That is due to using the Let's Encrypt "short chain". If you were using Apache or nginx, two more popular servers, this would not be a problem. By default those easily use the Let's Encrypt "long chain" which works for older Android. Sadly, your use of IIS server and the need to support older Android is more difficult with Let's Encrypt (see my prior post). IIS makes it difficult to set the Let's Encrypt "long chain".

4 Likes

That might not be easy within Windows Server 2012.

4 Likes

FYI - using LE in the future won't support TLS v1.0 & v1.1 nor SHA-1.

4 Likes

I am pretty sure that means ACME clients will not be able to use TLS v1.0 or 1.1 any longer when they request a cert. Clients (browsers, ...) connecting to websites that happen to use a Let's Encrypt cert are not affected.

7 Likes

Right, but for the total working automatic solution (which the LE Certs are a subset of) will be likely troublesome in the future.

3 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.