This is a bit esoteric, but it seems like by summer 2016 most encrypted web sites will be switching to the protocol that XP cannot support.
PCI-DSS compliance committee recently released new compliance requirements that make anyone using TLS1.0 not PCI-compliant. Most server farms are in the process of eliminating TLS1.0 (and SSLv3) protocols from their servers. Mine just did that for my server, which broke things because I am using NET4.0 which doesn’t support TLS1.2.
One reason why we’re still using NET4.0 is that we still have quite a few WinXP users and NET4.5 doesn’t run on XPs. From my research into the matter, it seems that XP in general does not and cannot support TLS1.2
If so, come next summer WinXP users will not be able to use their browser or other software to access encrypted (https:// prefixed) sites.
Does anyone know of a solution available to XP users (or, alternatively, since that is what I am mainly interested in, a C# solution that will allow us to retain NET4.0 but still use TLS1.2 for our XP users)?
This is not exactly the “final nail in the coffin”. More like, the coffin has been nailed, buried, sat in the ground for a few years, and now a flood has washed away the cemetery and it is floating in the river towards the ocean, never to be seen again.
Does it make sense to worry about the security of encryption protocols when you are using an operating system whose vendor is no longer issuing fixes for vulnerabilities in the OS itself?
According to this, Win XP still has 12% total market share. It seems the percentage is even higher among our product’s users.
Telling 15% or so of your users that they cannot use your stuff anymore unless they switch OS is not that great a marketing trick. If they are still staying on XP after this long, they must be either completely ossified or have a good reason to do so.
It would make it easier for me, actually, if XP as the OS didn’t support TLS1.2 and not just C#-based applications, because that would definitely incentivize the XP holdouts to upgrade their OS. But I am not sure that is true. Anyone know?
I don’t know in this case, but haven’t there been prior watersheds in OS evolution where a version of Windows (and maybe Apple OS’s too) where the OS itself could not support an evolution of security, connectivity or communication standards? Where no app or patch or fix could give the system the needed features?
I am not sure. I cannot find anything definitive on this. A few sources claim this is an XP issue. As I said, I would prefer this be an XP issue and not just a NET4.0 issue, because at least I can tell those users: “Not only can you not run my stuff, you can’t even get to your broker’s web site. You gotta upgrade.”
I can’t think of any reason it would be an XP issue and not an IE issue, but maybe I’m just not being creative enough. And even then, the only reason it’s an IE issue is because MS drew a line in the sand and cut IE8 off from updates. There’s no technical limitation nearest I can tell.
This blog talks about ending support for all versions of IE on Windows XP, but not XP itself.
FWIW I have an extended family relation who’s stubbornly still running XP because he’s cheap. He asked me to give his computer a once over and tell him if he should upgrade when MS officially dropped support. I said he probably should but that I couldn’t see anything glaring. He’s running Firefox and I told him to keep up with those updates and I’d let him know if I saw anything big in the news.
AIUI, Win 7 and 8 were so alien to the “Windows as only OS ever seen” crowd that they were unusable, even if they worked as designed, which they didn’t.
So now the big news I’ve heard about Win 10 is:
The Start" button (which was introduced on WIN 95) is back. Q: Where was it hiding all these years?
MS Hearts is no longer available. I spend much time with that game. I’m vicious that way.
I learned many years ago not to trust any MS “Release x.0.0”. For XP, it was SP2 before it was considered safe for children.
If I knew the architecture of these machines, I’d probably not use a MS product. But I’m too lazy to leanr architecture at this point.
Maybe a teeny tiny bit of exaggeration there? As noted, there are still lots of XP users around. Indeed I know of a major financial institution that is running many thousands, if not tens of thousands, of Windows 2000 desktops. They are surely not the only ones.
^^^^^^^
… and this is why.
I see lots of users going “I’m happy with Windows 7, why would I want to upgrade to Windows 8 or Windows 10?”. To which I’m tempted to ask, a little bit facetiously but with a kernel of truth, “Why would you even want Windows 7?”.
I don’t know the answer to the OP question but I would be very interested if anyone does. It would certainly be a major issue if it were true. I can only offer the following anecdotal observations. I had a thread here a year or so ago asking about a root certificate issue with XP. I tried fixing it with a certificate update and it wasn’t working, and indeed the updated certificates were claimed to be “corrupt”. Turned out that the SP3 service pack fixed the problem.
Then I had another issue where on a few sites HTTPS connections were being rejected, but not HTTP. Interestingly, when I tried this on Windows 7, it worked in Firefox but failed in IE. Now this problem turned out to be fixable simply by updating Firefox, though I still don’t know what it was that the older browsers were failing to support. So perhaps the answer to the OP is that things will still work provided security certificates are recent enough and as long as Firefox (or Chrome) updates are still being released for XP.
I have access to an old W-98se machine and a XP machine which are still stomping in mud puddles and playing Hearts ( my Win-7 still has it ) and maybe can tell if it is IE or the OS. They each have several different browsers installed.
( I used to know how to lift ‘hearts’ and the others out of 98 and drop in a newer machine. Now forgotten, )
and tell me whether you can get to it? (I am not in any way affiliated with the site, it’s just that it sits on a server that has no TLS1.0 support so is a good test).
as far as Apple goes, yes. There was the transition from classic Mac OS to OS X, then the switch to Intel (at v.10.4,) then the removal of Rosetta (emulation for PowerPC apps) in 10.6 (or 10.7.) Plus, Apple pretty much only offers updates and support for their current OS version and the one prior.
the most recent “breaking point” for Windows was Vista. Microsoft tore up a lot of shit, from the audio stack to a brand new graphics system, huge security architecture overhauls, yet did all they could to maintain backwards compatibility. And people are still bitching that XP is old and busted even though it’s damn near 14 years old.
honestly, if you’re still running XP, you’d better have a damned good reason, otherwise you deserve to be screwed.
I don’t understand your comment. The link you gave works fine on XP with the current version of Firefox. Most HTTPS sites don’t work at all with older versions of IE on either XP or on Win7. This supports the idea that your concern is a browser dependency and not a root certificate store (OS related) dependency. Am I misunderstanding your question?
Our product is written in C# and runs on user’s machine. C# programs can be written based on different versions of NET libraries. NET4.0 - the last library that works on XP - does not support TLS1.2. And NET 4.5 - the library that does support TLS1.2 - cannot be installed on XP.
Up to now we had no problem with that arrangement. We wrote to NET4.0. But now server farms and big sites started disabling TLS1.0 because it is not PCI compliant anymore. Which breaks our stuff.
So, once most of the servers out there remove support for TLS1.0, which will happen by next summer, no C#-based program that needs to HTTPS-access encrypted servers on the net will work on XP anymore.
Ah, thank you. With that clarification and on re-reading your OP I have a better understanding of your concern.
I was coming at it from the standpoint of a broader interest in the viability of XP in general, based on the assertion from your OP that “come next summer WinXP users will not be able to use their browser or other software to access encrypted (https:// prefixed) sites.” It appears that they will, provided their browser supports it, and it would appear that the current version of Firefox supports all current versions of TLS, but presumably doesn’t need .NET to do so. “Other software” is a different matter. This doesn’t help your product support situation for XP, unfortunately, but it does bode well for the broader question of XP viability in general, aside from its ability to support libraries for new development frameworks.
In looking at the Firefox feature chart I suspect that TLS was the reason I was getting the HTTPS failures before I upgraded.
The sites I was looking at were not clear whether the TLS1.2 failures were due to the particular browser or the OS. Now I know it was the browser. I was kinda hoping it was the OS, because it would make my task of urging our users to upgrade their OS from XP easier.
Unfortunately, there is absolutely no way Microsoft will go back and update their NET4.0 to support TLS1.2.
)