info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Windows XP 5.1.2600 won't go on the network
325 views
Skip to first unread message
Lawrence Aracabia
Nov 14, 2021, 8:13:56 PM11/14/21
to
Someone gave me a Windows XP 5.1.2600 laptop that works fine when booting
but I can't yet find a browser for it that will connect to the Interbnet.
Also I can only use Wi-Fi security from my phone where I can set the
security to none since it won't connect to any modern Wi-Fi WPA2-PSK router
security (I'm traveling so I don't have access to my own router).
Start > Run > winver
Version 5.1 (build 2600.xpsp_sp3_dgr_130307-0422 : Service Pack 3)
My two main questions are really a result of the first problem.
(1) How can I get a web browser for that WinXP that works on the Internet?
(2) How can I get that WinXP to connect to a typical WPA2-PSK access point?
but I can't yet find a browser for it that will connect to the Interbnet.
Also I can only use Wi-Fi security from my phone where I can set the
security to none since it won't connect to any modern Wi-Fi WPA2-PSK router
security (I'm traveling so I don't have access to my own router).
Start > Run > winver
Version 5.1 (build 2600.xpsp_sp3_dgr_130307-0422 : Service Pack 3)
My two main questions are really a result of the first problem.
(1) How can I get a web browser for that WinXP that works on the Internet?
(2) How can I get that WinXP to connect to a typical WPA2-PSK access point?
Mayayana
Nov 14, 2021, 9:35:48 PM11/14/21
to
"Lawrence Aracabia" <Lawrence...@Aracabia.com> wrote
| My two main questions are really a result of the first problem.
| (1) How can I get a web browser for that WinXP that works on the Internet?
| (2) How can I get that WinXP to connect to a typical WPA2-PSK access
point?
I'm using Firefox 52.9 and New Moon 28.10.
http://archive.mozilla.org/pub/firefox/releases/
I don't know about the router issue.
| My two main questions are really a result of the first problem.
| (1) How can I get a web browser for that WinXP that works on the Internet?
| (2) How can I get that WinXP to connect to a typical WPA2-PSK access
point?
http://archive.mozilla.org/pub/firefox/releases/
I don't know about the router issue.
gfre...@aol.com
Nov 15, 2021, 12:45:56 AM11/15/21
to
Will it work with a cable in the ethernet port?
That will get you started down the right path.
If the ethernet works you have a WiFi thing. I would start by looking
for a WiFi switch. There is probably an LED that says the radio is on.
Then look at the control panel and see what it says about a WiFi
connection.
You may be reloading a driver or something if the hardware looks OK.
Lawrence Aracabia
Nov 15, 2021, 6:46:14 AM11/15/21
to
Mayayana <maya...@invalid.nospam> wrote:
> I'm using Firefox 52.9 and New Moon 28.10.
I tried Firefox and it still wouldn't connect to httpS web sites.
> I'm using Firefox 52.9 and New Moon 28.10.
There seems to be a problem with old "certificates" as only http sites
work. The laptop had not been used in probably 10 or 15 years.
Is there a way to "check" & "update" the certificates for any given
browser?
Lawrence Aracabia
Nov 15, 2021, 6:51:25 AM11/15/21
to
Yes. I can connect to an open network just fine (which is why I must use my
phone as I'm traveling and therefore I have no access to anyone's router).
> Does it see any networks?
Yes. It sees all of them. It just doesn't have WPA2-PSK ability.
> Will it work with a cable in the ethernet port?
> That will get you started down the right path.
I don't have physical access to anyone's router but that isn't the problem
anyway since it won't connect to WPA2-PSK as it doesn't even have that
option.
> If the ethernet works you have a WiFi thing.
The Wi-Fi clearly doesn't support WPA2-PSK. That's all I need.
I'm just not familiar with HOW to get it, especially with all the browser
certificates expired.
> I would start by looking for a WiFi switch. There is probably an LED that says the radio is on.
> Then look at the control panel and see what it says about a WiFi
> connection.
> You may be reloading a driver or something if the hardware looks OK.
The laptop hasn't been used in 10 or 15 years which is apparently older
than WPA2-PSK existed so all it needs is that capability but I don't know
how to add it.
phone as I'm traveling and therefore I have no access to anyone's router).
> Does it see any networks?
> Will it work with a cable in the ethernet port?
> That will get you started down the right path.
anyway since it won't connect to WPA2-PSK as it doesn't even have that
option.
> If the ethernet works you have a WiFi thing.
I'm just not familiar with HOW to get it, especially with all the browser
certificates expired.
> I would start by looking for a WiFi switch. There is probably an LED that says the radio is on.
> Then look at the control panel and see what it says about a WiFi
> connection.
> You may be reloading a driver or something if the hardware looks OK.
than WPA2-PSK existed so all it needs is that capability but I don't know
how to add it.
Paul
Nov 15, 2021, 8:14:45 AM11/15/21
to
and this has caused major browser havoc for WinXP.
ISRG... Not the LetsEncrypt itself.
https://web.archive.org/web/20210922081352/https://techcrunch.com/2021/09/21/lets-encrypt-root-expiry/
*******
Using a second computer running a newer OS, consider acquiring
Firefox 52ESR. There's a table of values here, and this site
thinks Firefox > 50 will work. Since WinXP only has a working
Firefox up to 52ESR, then that is as far as you can go.
https://support.freshteam.com/support/solutions/articles/19000130292-troubleshooting-connection-not-secure-error
>50, <= 52ESR
So that would be here.
http://releases.mozilla.com/pub/firefox/releases/52.9.0esr/win32/en-US/
Firefox Setup 52.9.0esr.exe 43M 25-Jun-2018 08:56
Why is there a SHA1 reference here ? Dunno. This could be the same file.
http://releases.mozilla.com/pub/firefox/releases/52.9.0esr/win32-sha1/en-US/
Firefox Setup 52.9.0esr.exe 43M 25-Jun-2018 08:57
The reason Firefox can work, is Firefox has its own certificate store.
I tested the item from the first download link, and at least
it installed. I can't tell whether it will open the broken sites
or not. But you can try it. Once you get a cable or the Wifi working.
I had major problems with Windows Update in WinXP. There is a looping
bug, which presumably some clever Microsoft employee had a hand in.
The server it is trying to reach, is an http one, but perhaps
there is an https redirect and it doesn't even bother showing what it has
done on the screen.
I tried to use my wsusoffline, made a number of years ago, but
maybe I have to pick up an ESR from the site and get the
latest changes, if anyone bothered. They're not really supposed
to be supporting that any more. Wsusoffline consults Windows Update,
so does not "force" the updates in, which is a shame, because
as soon as Microsoft ruins WU, then Wsusoffline is ruined too.
Even if I installed MBSA 2.3, the wsusscn2.cab is protected with SHA2
now, and MBSA 2.3 cannot handle that. It should be dead in the water
too, not because the software is broken, but because the .cab it
is downloading is boobytrapped (designed to fail, when parsed).
Summary: Running WinXP ? Good God. It's like a field full of land mines now.
What a mess. So if someone tells you to "clean install when buying
a used laptop", I think you know what my answer is for WinXP...
Find a copy of Win7 and DAZ Loader.
Paul
Mayayana
Nov 15, 2021, 8:26:39 AM11/15/21
to
"Lawrence Aracabia" <Lawrence...@Aracabia.com> wrote
| I tried Firefox and it still wouldn't connect to httpS web sites.
|
| There seems to be a problem with old "certificates" as only http sites
| work. The laptop had not been used in probably 10 or 15 years.
|
| Is there a way to "check" & "update" the certificates for any given
| browser?
I updated mine according to this webpage:
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/
I don't know whether it made a critical difference. Maybe it did.
But there's also the issue of bad certs and you need to make sure
FF gives you the option to bypass its warnings. I don't remember
the details of that offhand, but in some cases you can just get
a refusal to load the page. Yet in most cases that's due to recently
outdated certs or certs a small website is using that are not in its
name.
| I tried Firefox and it still wouldn't connect to httpS web sites.
|
| There seems to be a problem with old "certificates" as only http sites
| work. The laptop had not been used in probably 10 or 15 years.
|
| Is there a way to "check" & "update" the certificates for any given
| browser?
https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/
I don't know whether it made a critical difference. Maybe it did.
But there's also the issue of bad certs and you need to make sure
FF gives you the option to bypass its warnings. I don't remember
the details of that offhand, but in some cases you can just get
a refusal to load the page. Yet in most cases that's due to recently
outdated certs or certs a small website is using that are not in its
name.
Lawrence Aracabia
Nov 15, 2021, 10:55:13 AM11/15/21
to
Mayayana <maya...@invalid.nospam> wrote:
> I updated mine according to this webpage:
>
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/
Thanks for that advice as I think the problem with the WinXP web browsers is that there are no
> I updated mine according to this webpage:
>
> https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/
valid certificates, and I think the problem with the WinXP wi-fi may be that there is no option
to set the security to WPA2-PSK (or even WPA2 since it goes by various names).
(1) I created the phone mobile hotspot "hotspot1" which I set with no protection
(2) I ran in the phone termux shell "ifconfig" whose results are below
(3) "inet 192.168.27.227 netbask 255.255.255.0 broadcast 192.168.27.227"
(4) I connected winxp wi-fi to that mobile phone access point "hotspot1"
(5) The winxp "ipconfig" showed the wrong IP address subnet so I rebooted
(6) Back up & on Wi-Fi, the WinXP subnet was still wrong at 192.168.86.229
(7) A winxp ipconfig /release and then /renew didn't help things at all
(8) I set WinXP for the same 27 subnet & 227 gateway via the control panel
(9) 192.168.27.229/255.255.255.0 & gateway 192.168.27.227 & DNS 8.8.8.8/8.8.4.4
(10) On WinXP I pinged 192.168.27.227 & www.google.com successfully
(11) On WinXP I brought up firefox esr 52.9.0 (32-bit)
(12) In FF 52.9.0 I went to https://msfn.org (note the httpS)
(13) Predictably the error was "Your connection is not secure"
(14) In FF I pressed Advanced, Add Exception, Get Certificate,& Confirm Security Exception" and the home page came up.
(15) In FF I went to your helpful URL & read the moderator comment below
The download for the latest (1.6) version of Heinoganda's root certificates and revoked certificates update utility is here -
https://www.mediafire.com/file/pflkq12ik8tlx5w/jveWB2Qg1Lt9yT5m3CYpZ8b8N4rH.rar/file
The archive password is: S4QH5TIefi7m9n1XLyTIZ3V5hSv4se1XB6jJZpH5TfB6vkJ8hfRxU7DWB2p
(16) Going to that mediafire URL I again got "Your connection is not secure"
(17) I hit Advanced, Add Exception, Get Certificate, Confirm Security Exception
(18) I pressed the blue "Download" button labeled jveWB2Qg1Lt9yT5m3CYpZ8b8N4rH
(19) Again I received "Your connection is not secure" & again I added the certificate.
(20) That downloaded the following 1,659KB RAR file
https://download2279.mediafire.com/blogpk1hizug/pflkq12ik8tlx5w/jveWB2Qg1Lt9yT5m3CYpZ8b8N4rH.rar
(21) Right clicking and selecting IZArc to extract asked for the password shown above
(22) The "Important please read.txt" implied I should ignore the "DL_URL_UPD.reg" file
(23) The "Info Version 1.6.txt" provided version information (bugfixes & the like)
(24) I clicked on the remaining file "Cert_Updater_v1.6.exe" & pressed "Yes"
(25) Resulting in "Roots Certificates" & "Revoked Certificates" are "successfuyllty updated"
I went to www.oogle.com in FF 52.9.0 and it still said it was an insecure connection.
I killed and restarted Firefox ESR 52.9.0 (32-bit) but it still said the same thing.
That still said "insecure connection" so I rebooted WinXP.
After I restarted WinXP and reconnected, FF STILL gives me that insecure connection warning.
So I did a "Turn Off" of the PC so that I could cold boot to Windows XP.
After the cold boot I connected Windows XP SP3 to the phone wi-fi access point.
I checked the ping to the phone gateway and to www.google.com and they worked fine.
Yet Firefox 52.9.0 ESR (32-bit) STILl complained about security
https://www.google.com/?gws_rd=ssl
But the error is different now:
Error code: MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE
Clicking on those words it says:
A certificate that is not yet valid was used to issue the server's certificate.
HTTP Strict Transport Security: false
HTTP Public Key Pinning: true
I checked the date of the Windows XP computer and it said "Sat 07/09/2016"
which I then changed to 11-15-21 (and I checked that it took which it did).
THEN, when I went to "www.google.com' in Firefox ESR 52.9.0 (32-bit), it worked!
I went to news.google.com so I could click on current links, which worked!
SRWARE Iron Version 49.0.2600.0 also worked when clicking around in news.google.com!
Internet Explorer 8 version 8.0.6001.18702 also worked albeit it was super slow.
Worse with Opera 36.0.2130.80 which hung every time that on news.google.com site.
After another cold boot I checked again before posting my results above.
(The current date stuck, so it looks like the PC hasn't been used since 2016.)
Was my browser problem, all along, that the date was stuck way back in 2016?
Even so, when I connect to a typical home WPA2-PSK secured access point, I get
"Windows was unable to find a certificate to log you on to the network"
When I try to set up the wi-fi connection the only choices winxp provides are
Automatically assign a network key (recommended)
Manually assign a network key
Use WPA encrfyption instgead of WEP
Overall, were all my web problems only related to the date or to the certificates?
And, how do I get the option for WPA2-PSK encryption in Windows XP SP3?
Paul
Nov 15, 2021, 4:19:29 PM11/15/21
to
On 11/15/2021 10:55 AM, Lawrence Aracabia wrote:
>
> Overall, were all my web problems only related to the date or to the certificates?
> And, how do I get the option for WPA2-PSK encryption in Windows XP SP3?
There are things on the computer that are date sensitive,
>
> Overall, were all my web problems only related to the date or to the certificates?
> And, how do I get the option for WPA2-PSK encryption in Windows XP SP3?
so yes, having the date off by a large amount would be
a bad thing.
If you didn't pull the time in sufficiently, perhaps even
this would not work.
https://time.gov/
There is a graphic on the lower-right, showing the time error
between you and a decent-stratum clock at the gov site.
*******
https://kb.netgear.com/20021/Enabling-Wireless-Zero-Config-WZC-on-Windows-XP
https://en.wikipedia.org/wiki/Wireless_Zero_Configuration
"It was later integrated into Windows XP Service Pack 3"
https://www.dlink.com.vn/how-do-i-configure-wpa-psk-on-my-wireless-card-using-the-microsoft-xp-utility-2/
"How do I configure WPA-PSK on my wireless card using the Microsoft XP Utility?
Note: Make sure to have all of the latest Windows Updates.
Step 1 Click on the XP Networking icon to use the Zero Configuration utility.
This will be located in the lower-right corner (system tray). In the
lower-left of the window, click on the Advanced button.
Step 2 Ensure that Use Windows to configure my wireless network settings
is checked. Highlight the network you wish to connect to and click
on the Configure button.
Step 3 From the Network Authentication drop-down, select WPA-PSK. Under
Data Encryption, select TKIP or AES. Enter your Network key and
enter it again next to Confirm network key.
"
This implies some level of support in WZC, at a first glance.
I bet the hardware plays a part too though. At least some
of the crypto had a hardware component. Or so it was claimed
in a past time.
With WZC turned off, it may be up to the proprietary driver to
provide config panels. With WZC on, who knows, sometimes the
stuff just works.
I have no Wifi to speak of here, just the one laptop with a Wifi
on it. Nothing else, no Wifi router, to experiment with. I do
more BT-send than Wifi :-)
Paul
Mayayana
Nov 16, 2021, 8:12:49 AM11/16/21
to
"Lawrence Aracabia" <Lawrence...@Aracabia.com> wrote
| Overall, were all my web problems only related to the date or to the
certificates?
I'm not sure about that. I just remember the certificate update
being possible and I figured it couldn't hurt to update them. The
date problem is something that never occurred to me.
| And, how do I get the option for WPA2-PSK encryption in Windows XP SP3?
I'm afraid that's something I don't remember. I look into
the encryption issues when I buy a new router and then
I promptly forget the whole thing. I find that the older I get,
the less room there is in my mind to store such information.
I don't know, offhand, what encryption I'm using, but I've
never had problems.
| Overall, were all my web problems only related to the date or to the
certificates?
being possible and I figured it couldn't hurt to update them. The
date problem is something that never occurred to me.
| And, how do I get the option for WPA2-PSK encryption in Windows XP SP3?
the encryption issues when I buy a new router and then
I promptly forget the whole thing. I find that the older I get,
the less room there is in my mind to store such information.
I don't know, offhand, what encryption I'm using, but I've
never had problems.
J. P. Gilliver (John)
Nov 17, 2021, 4:31:42 PM11/17/21
to
On Mon, 15 Nov 2021 at 08:26:48, Mayayana <maya...@invalid.nospam>
wrote (my responses usually follow points raised):
Will that help with a very old Firefox running on W7? I get quite a lot
of cases where I have to accept the exception (or something like that)
but then it works; in (I think it is) the last week or two, I've had a
few that just won't connect, and don't give me the option to override
the warning.
(I ask because it looks as if it's for Windows rather than Firefox, and
I've heard Firefox uses its own independent certificate store [if that's
the right term].)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
We shall never - never! - allow foreigners to run our economy. They might cure
it. (George Mikes, "How to be Decadent" [1977].)
wrote (my responses usually follow points raised):
>"Lawrence Aracabia" <Lawrence...@Aracabia.com> wrote
>
>| I tried Firefox and it still wouldn't connect to httpS web sites.
>|
>| There seems to be a problem with old "certificates" as only http sites
>| work. The laptop had not been used in probably 10 or 15 years.
>|
>| Is there a way to "check" & "update" the certificates for any given
>| browser?
>
>I updated mine according to this webpage:
>
>https://msfn.org/board/topic/175170-root-certificates-and-revoked-certif
>icates-for-windows-xp/
[]
>
>| I tried Firefox and it still wouldn't connect to httpS web sites.
>|
>| There seems to be a problem with old "certificates" as only http sites
>| work. The laptop had not been used in probably 10 or 15 years.
>|
>| Is there a way to "check" & "update" the certificates for any given
>| browser?
>
>I updated mine according to this webpage:
>
>https://msfn.org/board/topic/175170-root-certificates-and-revoked-certif
>icates-for-windows-xp/
Will that help with a very old Firefox running on W7? I get quite a lot
of cases where I have to accept the exception (or something like that)
but then it works; in (I think it is) the last week or two, I've had a
few that just won't connect, and don't give me the option to override
the warning.
(I ask because it looks as if it's for Windows rather than Firefox, and
I've heard Firefox uses its own independent certificate store [if that's
the right term].)
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
We shall never - never! - allow foreigners to run our economy. They might cure
it. (George Mikes, "How to be Decadent" [1977].)
J. P. Gilliver (John)
Nov 18, 2021, 1:24:57 AM11/18/21
to
On Thu, 18 Nov 2021 at 05:53:36, Steve Hayes <haye...@telkomsa.net>
>Yes, I use three browsers with Windows XP. Opera connects to Twitter,
>Firefox doesn't. I use Maxthon for FamilySearch, but it keeps warning
[]
So _will_ the suggested method work for old-F-on-W7?
already happening and watch people tell me it will never happen.
Scott Adams, 2015-3-9
wrote (my responses usually follow points raised):
>On Wed, 17 Nov 2021 21:31:20 +0000, "J. P. Gilliver (John)"
><G6...@255soft.uk> wrote:
>
>>Will that help with a very old Firefox running on W7? I get quite a lot
[]
><G6...@255soft.uk> wrote:
>
>>Will that help with a very old Firefox running on W7? I get quite a lot
>>(I ask because it looks as if it's for Windows rather than Firefox, and
[]
>Yes, I use three browsers with Windows XP. Opera connects to Twitter,
>Firefox doesn't. I use Maxthon for FamilySearch, but it keeps warning
[]
So _will_ the suggested method work for old-F-on-W7?
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
One of my tricks as an armchair futurist is to "predict" things that are
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
already happening and watch people tell me it will never happen.
Scott Adams, 2015-3-9
Mayayana
Nov 19, 2021, 8:43:35 AM11/19/21
to
| >I updated mine according to this webpage:
| >
| >https://msfn.org/board/topic/175170-root-certificates-and-revoked-certif
| >icates-for-windows-xp/
| []
| Will that help with a very old Firefox running on W7? I get quite a lot
| of cases where I have to accept the exception (or something like that)
| but then it works; in (I think it is) the last week or two, I've had a
| few that just won't connect, and don't give me the option to override
| the warning.
|
| (I ask because it looks as if it's for Windows rather than Firefox, and
| I've heard Firefox uses its own independent certificate store [if that's
| the right term].)
I can't answer that. I came across the cert issue at one point
| >
| >https://msfn.org/board/topic/175170-root-certificates-and-revoked-certif
| >icates-for-windows-xp/
| []
| Will that help with a very old Firefox running on W7? I get quite a lot
| of cases where I have to accept the exception (or something like that)
| but then it works; in (I think it is) the last week or two, I've had a
| few that just won't connect, and don't give me the option to override
| the warning.
|
| (I ask because it looks as if it's for Windows rather than Firefox, and
| I've heard Firefox uses its own independent certificate store [if that's
| the right term].)
and did the update. But personally I've never had the problem
of widespread cert rejection that some people talk about.
(FF 52 and New Moon 28) Did the cert update help? I'm afraid I
just don't know. You may be correct that only IE, winhttp, wininet,
and various other system Internet functionality can benefit.
Like you I sometimes get the warnings. There's another trick that
I don't remember offhand to make sure that you get the option
to override. (Firefox gets more daffy all the time.) But you should see
the reason for the warning in that page, too. It's almost always one
of two things:
1) The cert recently expired and hasn't been updated. 2) The cert
is someone else's. In the second case the problem is usually that
MarysMassage.com or EdsHuntingMemorabilia.com are hosted on
CheapHosting.com and their cert is registered to CheapHosting.com,
because getting your own cert is complicated. Firefox then sees
that as a suspicious cert.
Does any of this matter? Not really. If you're going to type in a
credit card number it's important. If you're going to look at photos
of Ed's antique guns then the only risk is that a man in the middle
hack could see the content of the webpage you're visiting. As they
say sometimes in the US but probably not in Britain: Big whoop!
Apd
Nov 19, 2021, 11:18:29 AM11/19/21
to
"J. P. Gilliver (John)" wrote:
> I get quite a lot of cases where I have to accept the exception (or
> something like that) but then it works; in (I think it is) the last
> week or two, I've had a few that just won't connect, and don't give
> me the option to override the warning.
Depending on how old your FF is, it may not support the encryption
algorithm the site wants to use. No amount of updated certs will help
with that and FF won't be able to override. It might be useful if you
could note here which URLs are giving trouble and what version of FF
you're using.
> On Mon, 15 Nov 2021 at 08:26:48, Mayayana wrote:
>>I updated mine according to this webpage:
>>
>><https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/>
> []
> Will that help with a very old Firefox running on W7?
No. FF has its own cert store.
>>I updated mine according to this webpage:
>>
>><https://msfn.org/board/topic/175170-root-certificates-and-revoked-certificates-for-windows-xp/>
> []
> Will that help with a very old Firefox running on W7?
> I get quite a lot of cases where I have to accept the exception (or
> something like that) but then it works; in (I think it is) the last
> week or two, I've had a few that just won't connect, and don't give
> me the option to override the warning.
algorithm the site wants to use. No amount of updated certs will help
with that and FF won't be able to override. It might be useful if you
could note here which URLs are giving trouble and what version of FF
you're using.
Mayayana
Nov 19, 2021, 12:31:39 PM11/19/21
to
"Apd" <n...@all.invalid> wrote
| Depending on how old your FF is, it may not support the encryption
| algorithm the site wants to use.
Why do you think that? TLS 1.3 was added in FF 49. In 52.9
I have security.tls.version.max set to 4 and fallback-limit set
to 3. 1.3 was new 2 years ago. I'm not aware of any TLS 1.4.
Even when the latest isn't supported, sites should use the next
one down. Some sites won't support 1.1, for example.
(The settings add 1 to the level because 1.0 is 1. So 1.2
is 3 and 1.3 is 4.)
I seem to remember that some people were using things like
FF 28. But that still supports 1.2. Anyone who thinks they may have
trouble can check about:config to make sure they're running at
full capacity.
| Depending on how old your FF is, it may not support the encryption
| algorithm the site wants to use.
I have security.tls.version.max set to 4 and fallback-limit set
to 3. 1.3 was new 2 years ago. I'm not aware of any TLS 1.4.
Even when the latest isn't supported, sites should use the next
one down. Some sites won't support 1.1, for example.
(The settings add 1 to the level because 1.0 is 1. So 1.2
is 3 and 1.3 is 4.)
I seem to remember that some people were using things like
FF 28. But that still supports 1.2. Anyone who thinks they may have
trouble can check about:config to make sure they're running at
full capacity.
Apd
Nov 19, 2021, 3:14:58 PM11/19/21
to
"Mayayana" wrote:
cyphers (cypher suite) that can be used. I don't know what obligation
a server has in the way of full support for all in any given TLS
version or if a browser would implement them all. Perhaps someone can
clarify. I know I've had the odd message that a particular cypher
was not understood (may not have been Firefox).
https://en.wikipedia.org/wiki/Cipher_suite
> TLS 1.3 was added in FF 49. In 52.9
> I have security.tls.version.max set to 4 and fallback-limit set
> to 3. 1.3 was new 2 years ago. I'm not aware of any TLS 1.4.
> Even when the latest isn't supported, sites should use the next
> one down. Some sites won't support 1.1, for example.
Exactly.
> (The settings add 1 to the level because 1.0 is 1. So 1.2
> is 3 and 1.3 is 4.)
The default in FF 52.9 is 3 so I wonder if 1.3 is fully supported.
> I seem to remember that some people were using things like
> FF 28. But that still supports 1.2. Anyone who thinks they may have
> trouble can check about:config to make sure they're running at
> full capacity.
I believe JPG is/was using a very old ver of FF.
> "Apd" wrote:
>| Depending on how old your FF is, it may not support the encryption
>| algorithm the site wants to use.
>
> Why do you think that?
It's another thing to consider. Each TLS version specifies various
>| Depending on how old your FF is, it may not support the encryption
>| algorithm the site wants to use.
>
> Why do you think that?
cyphers (cypher suite) that can be used. I don't know what obligation
a server has in the way of full support for all in any given TLS
version or if a browser would implement them all. Perhaps someone can
clarify. I know I've had the odd message that a particular cypher
was not understood (may not have been Firefox).
https://en.wikipedia.org/wiki/Cipher_suite
> TLS 1.3 was added in FF 49. In 52.9
> I have security.tls.version.max set to 4 and fallback-limit set
> to 3. 1.3 was new 2 years ago. I'm not aware of any TLS 1.4.
> Even when the latest isn't supported, sites should use the next
> one down. Some sites won't support 1.1, for example.
> (The settings add 1 to the level because 1.0 is 1. So 1.2
> is 3 and 1.3 is 4.)
> I seem to remember that some people were using things like
> FF 28. But that still supports 1.2. Anyone who thinks they may have
> trouble can check about:config to make sure they're running at
> full capacity.
Mayayana
Nov 19, 2021, 5:44:54 PM11/19/21
to
"Apd" <n...@all.invalid> wrote
|
| > (The settings add 1 to the level because 1.0 is 1. So 1.2
| > is 3 and 1.3 is 4.)
|
| The default in FF 52.9 is 3 so I wonder if 1.3 is fully supported.
Look it up. FF 49. The reason it defaults to 3 (TLS 1.2)
is because 4 (1.3) is fairly new and may not be supported
everywhere. The browser is supposed to do a "handshake",
offering what versions it supports, then the server picks the
highest that it supports. So there shouldn't be any problems.
Except possibly with assholes like Google who love to tell you
last week's browser is not sufficient.
Anyone using FF 52 should set the default to 4 (TLS 1.3)
and the fallback to 3. Then all sites should be able to
handle it.
|
| > (The settings add 1 to the level because 1.0 is 1. So 1.2
| > is 3 and 1.3 is 4.)
|
| The default in FF 52.9 is 3 so I wonder if 1.3 is fully supported.
is because 4 (1.3) is fairly new and may not be supported
everywhere. The browser is supposed to do a "handshake",
offering what versions it supports, then the server picks the
highest that it supports. So there shouldn't be any problems.
Except possibly with assholes like Google who love to tell you
last week's browser is not sufficient.
Anyone using FF 52 should set the default to 4 (TLS 1.3)
and the fallback to 3. Then all sites should be able to
handle it.
Apd
Nov 19, 2021, 7:29:37 PM11/19/21
to
"Mayayana" wrote:
> "Apd" wrote
some compatability issues but stated "It's fairly safe to flip the
pref if you know what to expect".
> Anyone using FF 52 should set the default to 4 (TLS 1.3)
> and the fallback to 3. Then all sites should be able to
> handle it.
I take it you haven't had problems so I'll try it.
> "Apd" wrote
>| The default in FF 52.9 is 3 so I wonder if 1.3 is fully supported.
>
> Look it up. FF 49.
I have, and before FF 63 they were draft versions. Bugzilla mentioned
>
> Look it up. FF 49.
some compatability issues but stated "It's fairly safe to flip the
pref if you know what to expect".
> Anyone using FF 52 should set the default to 4 (TLS 1.3)
> and the fallback to 3. Then all sites should be able to
> handle it.
Paul
Nov 19, 2021, 11:58:26 PM11/19/21
to
On 11/19/2021 9:59 PM, Steve Hayes wrote:
>
> http://www.oca.org
>
> Firefox reports an expired certificate, and won't override.
>
> Maxthon reports that Avast has blocked it.
>
> Opera does something similar.
>
> Firefox 41 still gets me into Google & Wordpress, and most pages of
> GoodReads, other than book description pages, which won't display
> properly.
Sent this link:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oca.org
Five minutes later, the report, a part of which is...
https://www.ssllabs.com/ssltest/analyze.html?d=www.oca.org&s=45.79.144.159 <=== returned result
Mozilla (but the Windows entry is the same)
Path #1: Trusted
1 Sent by server oca.org
Fingerprint SHA256: a72baf3558270f9629b28f5beda73defc54ceddc54d5237ae6b9064644e57cb4
Pin SHA256: I3N6VhKN9Hxzh6f1I2Kq6ZZBtYGbdhMLiED3t8u7NLs=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store ISRG Root X1 Self-signed
Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
Path #2: Not trusted (invalid certificate [Fingerprint SHA256:
0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])
1 Sent by server oca.org
Fingerprint SHA256: a72baf3558270f9629b28f5beda73defc54ceddc54d5237ae6b9064644e57cb4
Pin SHA256: I3N6VhKN9Hxzh6f1I2Kq6ZZBtYGbdhMLiED3t8u7NLs=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server ISRG Root X1
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
4 In trust store DST Root CA X3 Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate
Which sure looks like the handiwork of LetsEncrypt certificate scheme.
Even though their name isn't mentioned in the listing. I think the
ISRG Root is theirs.
The site gets a grade of "B" because it supports TLS 1.0 and TLS 1.1,
as well as the others. At least it cuts off SSL2 and SSL3. The expired
certificate likely doesn't modify the rating.
Paul
> On Fri, 19 Nov 2021 16:17:49 -0000, "Apd" <n...@all.invalid> wrote:
>
>> Depending on how old your FF is, it may not support the encryption
>> algorithm the site wants to use. No amount of updated certs will help
>> with that and FF won't be able to override. It might be useful if you
>> could note here which URLs are giving trouble and what version of FF
>> you're using.
>
> One that none of my browsers will override is
>
>> Depending on how old your FF is, it may not support the encryption
>> algorithm the site wants to use. No amount of updated certs will help
>> with that and FF won't be able to override. It might be useful if you
>> could note here which URLs are giving trouble and what version of FF
>> you're using.
>
>
> http://www.oca.org
>
> Firefox reports an expired certificate, and won't override.
>
> Maxthon reports that Avast has blocked it.
>
> Opera does something similar.
>
> Firefox 41 still gets me into Google & Wordpress, and most pages of
> GoodReads, other than book description pages, which won't display
> properly.
Sent this link:
https://www.ssllabs.com/ssltest/analyze.html?d=www.oca.org
Five minutes later, the report, a part of which is...
https://www.ssllabs.com/ssltest/analyze.html?d=www.oca.org&s=45.79.144.159 <=== returned result
Mozilla (but the Windows entry is the same)
Path #1: Trusted
1 Sent by server oca.org
Fingerprint SHA256: a72baf3558270f9629b28f5beda73defc54ceddc54d5237ae6b9064644e57cb4
Pin SHA256: I3N6VhKN9Hxzh6f1I2Kq6ZZBtYGbdhMLiED3t8u7NLs=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store ISRG Root X1 Self-signed
Fingerprint SHA256: 96bcec06264976f37460779acf28c5a7cfe8a3c0aae11a8ffcee05c0bddf08c6
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
Path #2: Not trusted (invalid certificate [Fingerprint SHA256:
0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739])
1 Sent by server oca.org
Fingerprint SHA256: a72baf3558270f9629b28f5beda73defc54ceddc54d5237ae6b9064644e57cb4
Pin SHA256: I3N6VhKN9Hxzh6f1I2Kq6ZZBtYGbdhMLiED3t8u7NLs=
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server R3
Fingerprint SHA256: 67add1166b020ae61b8f5fc96813c04c2aa589960796865572a3c7e737613dfd
Pin SHA256: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server ISRG Root X1
Fingerprint SHA256: 6d99fb265eb1c5b3744765fcbc648f3cd8e1bffafdc4c2f99b9d47cf7ff1c24f
Pin SHA256: C5+lpZ7tcVwmwQIMcRtPbsQtWLABXhQzejna0wHFr8M=
RSA 4096 bits (e 65537) / SHA256withRSA
4 In trust store DST Root CA X3 Self-signed
Fingerprint SHA256: 0687260331a72403d909f105e69bcf0d32e1bd2493ffc6d9206d11bcd6770739
Pin SHA256: Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=
RSA 2048 bits (e 65537) / SHA1withRSA
Valid until: Thu, 30 Sep 2021 14:01:15 UTC
EXPIRED
Weak or insecure signature, but no impact on root certificate
Which sure looks like the handiwork of LetsEncrypt certificate scheme.
Even though their name isn't mentioned in the listing. I think the
ISRG Root is theirs.
The site gets a grade of "B" because it supports TLS 1.0 and TLS 1.1,
as well as the others. At least it cuts off SSL2 and SSL3. The expired
certificate likely doesn't modify the rating.
Paul
Apd
Nov 20, 2021, 6:54:46 AM11/20/21
to
"Steve Hayes" wrote:
> One that none of my browsers will override is
>
> http://www.oca.org
>
> Firefox reports an expired certificate, and won't override.
The site is using certs from LetsEncrypt and there were problems with
> One that none of my browsers will override is
>
> http://www.oca.org
>
> Firefox reports an expired certificate, and won't override.
them recently. The ones they present to my FF 52.9 are ok. In Paul's
report there is mention of DST Root CA X3 which is now expired. Your
browser should not be trying to use that.
Your browser should be using updated certs from ISRG (LetsEncrypt);
in particular, these should do the job:
- ISRG Root X1 (Self-signed)
- Let's Encrypt R3 (Signed by ISRG Root X1)
Get them from: <https://letsencrypt.org/certificates/> and install
into Firefox. You may also want to install them in WinXP.
> Maxthon reports that Avast has blocked it.
>
> Opera does something similar.
certs like Firefox or the system ones.
> Firefox 41 still gets me into Google & Wordpress, and most pages of
> GoodReads, other than book description pages, which won't display
> properly.
needing to update its certs.
Mayayana
Nov 20, 2021, 8:55:57 AM11/20/21
to
"Steve Hayes" <haye...@telkomsa.net> wrote
Like Apd, it works fine for me in FF 52.9. Why not
update? I know they broke a lot of things, but there
are extensions.
The site is an unholy mess, I must say, for a Christian
organization. :) But that's not uncommon these days.
I'm still having a hard time figuring out why so many
sites are mostly covered with gray in FF. I have to disable
CSS to see them. In some cases it seems to be a deliberate
attempt to block people who don't enable script. They
just plop a full-window DIV with a high z-order on top of
the page, which script then removes. I've been
able to cure some problems by blocking display of those
classes in userContent.css. This particulat site looks like
it's the usual pile-of-crap overuse of script by people using
templates and script snippets who don't know what they're
doing. But the really odd thing is that in IE6 without script
it actually doesn't look too bad!
Like Apd, it works fine for me in FF 52.9. Why not
update? I know they broke a lot of things, but there
are extensions.
The site is an unholy mess, I must say, for a Christian
organization. :) But that's not uncommon these days.
I'm still having a hard time figuring out why so many
sites are mostly covered with gray in FF. I have to disable
CSS to see them. In some cases it seems to be a deliberate
attempt to block people who don't enable script. They
just plop a full-window DIV with a high z-order on top of
the page, which script then removes. I've been
able to cure some problems by blocking display of those
classes in userContent.css. This particulat site looks like
it's the usual pile-of-crap overuse of script by people using
templates and script snippets who don't know what they're
doing. But the really odd thing is that in IE6 without script
it actually doesn't look too bad!
J. P. Gilliver (John)
Nov 20, 2021, 10:58:45 PM11/20/21
to
On Fri, 19 Nov 2021 at 16:17:49, Apd <n...@all.invalid> wrote (my
(up-to-date, at least fairly; I'm on Windows 7) for anything FF won't
handle. I just like the UI of this old Firefox, and also on the pages
that _do_ work with it, I think they work faster, though couldn't prove
that. Certainly the equally old version of the DownloadHelper extension
works - and without the slowdown a certain video hosting site has
recently started imposing, too.
responses usually follow points raised):
>"J. P. Gilliver (John)" wrote:
>> On Mon, 15 Nov 2021 at 08:26:48, Mayayana wrote:
>>>I updated mine according to this webpage:
>>>
>>><https://msfn.org/board/topic/175170-root-certificates-and-revoked-cer
>>>tificates-for-windows-xp/>
>> []
>> Will that help with a very old Firefox running on W7?
>
>No. FF has its own cert store.
I thought I'd read that, so feared as much.
>> On Mon, 15 Nov 2021 at 08:26:48, Mayayana wrote:
>>>I updated mine according to this webpage:
>>>
>>><https://msfn.org/board/topic/175170-root-certificates-and-revoked-cer
>>>tificates-for-windows-xp/>
>> []
>> Will that help with a very old Firefox running on W7?
>
>No. FF has its own cert store.
>
>> I get quite a lot of cases where I have to accept the exception (or
>> something like that) but then it works; in (I think it is) the last
>> week or two, I've had a few that just won't connect, and don't give
>> me the option to override the warning.
>
>Depending on how old your FF is, it may not support the encryption
>algorithm the site wants to use. No amount of updated certs will help
>with that and FF won't be able to override. It might be useful if you
>could note here which URLs are giving trouble and what version of FF
>you're using.
>
27.0.1 (which was old even under XP). I'm not worried - I use Chrome
>> I get quite a lot of cases where I have to accept the exception (or
>> something like that) but then it works; in (I think it is) the last
>> week or two, I've had a few that just won't connect, and don't give
>> me the option to override the warning.
>
>Depending on how old your FF is, it may not support the encryption
>algorithm the site wants to use. No amount of updated certs will help
>with that and FF won't be able to override. It might be useful if you
>could note here which URLs are giving trouble and what version of FF
>you're using.
>
(up-to-date, at least fairly; I'm on Windows 7) for anything FF won't
handle. I just like the UI of this old Firefox, and also on the pages
that _do_ work with it, I think they work faster, though couldn't prove
that. Certainly the equally old version of the DownloadHelper extension
works - and without the slowdown a certain video hosting site has
recently started imposing, too.
>
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
<This space unintentionally left blank>.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf
Mayayana
Nov 21, 2021, 8:29:20 AM11/21/21
to
"Steve Hayes" <haye...@telkomsa.net> wrote
| > Like Apd, it works fine for me in FF 52.9. Why not
| >update? I know they broke a lot of things, but there
| >are extensions.
|
| I was using it, but upgrade to v 41, the bersions before pockets. I
| don't want to have to go away and read a chapter of a book while
| waiting for a web page to load.
|
Weird. I never heard of pockets. I had to look it
up. Maybe that was the icon that looks like a few
books, on the toolbar? There are some nonsense
things I always remove, but I never noticed pockets
before. It turns out I had it "enabled", whatever
that means. :)
Firefox is certainly slow and bloated. I like New Moon,
Pale Moon, or Waterfox better. But once FF is started I
find pages generally load instantly. However, I also customize.
I use NoScript to block all script unless I really need it.
I use a HOSTS file to block spyware and ads from 3rd
parties. I don't allow videos to load. I block all prefetching...
So Firefox only needs to load an actual webpage, not 4
MB of javascript software and 19MB of MP4s. I'm still
surprised when I see someone else's computer, with things
jumping all around on webpages. For me, if a webpage
doesn't sit still then something needs to be fixed. But
it's an ongoing battle. Fools who love trinkets are forever
trying to jazz up their pages. I've needed to block CSS display
of :before, :after, transform and animation, in order to block
such things as logos dripping fluorescent green and slideshows
on speed.
| > Like Apd, it works fine for me in FF 52.9. Why not
| >update? I know they broke a lot of things, but there
| >are extensions.
|
| don't want to have to go away and read a chapter of a book while
| waiting for a web page to load.
|
Weird. I never heard of pockets. I had to look it
up. Maybe that was the icon that looks like a few
books, on the toolbar? There are some nonsense
things I always remove, but I never noticed pockets
before. It turns out I had it "enabled", whatever
that means. :)
Firefox is certainly slow and bloated. I like New Moon,
Pale Moon, or Waterfox better. But once FF is started I
find pages generally load instantly. However, I also customize.
I use NoScript to block all script unless I really need it.
I use a HOSTS file to block spyware and ads from 3rd
parties. I don't allow videos to load. I block all prefetching...
So Firefox only needs to load an actual webpage, not 4
MB of javascript software and 19MB of MP4s. I'm still
surprised when I see someone else's computer, with things
jumping all around on webpages. For me, if a webpage
doesn't sit still then something needs to be fixed. But
it's an ongoing battle. Fools who love trinkets are forever
trying to jazz up their pages. I've needed to block CSS display
of :before, :after, transform and animation, in order to block
such things as logos dripping fluorescent green and slideshows
on speed.
VanguardLH
Nov 21, 2021, 5:13:36 PM11/21/21
to
Lawrence Aracabia <Lawrence...@Aracabia.com> wrote:
> Someone gave me a Windows XP 5.1.2600 laptop that works fine when
> booting but I can't yet find a browser for it that will connect to
> the Interbnet.
>
> ...
> Someone gave me a Windows XP 5.1.2600 laptop that works fine when
> booting but I can't yet find a browser for it that will connect to
> the Interbnet.
>
>
> My two main questions are really a result of the first problem.
> (1) How can I get a web browser for that WinXP that works on the
> Internet?
> (2) ...
> My two main questions are really a result of the first problem.
> (1) How can I get a web browser for that WinXP that works on the
> Internet?
You give no details of what qualifies as no access to the Internet.
Have you tried connecting your web browsers to your router (whether a
separate device, or built into a cable modem)? The router has its own
internal web server to let you configure it. You may find you can
connect to intranet hosts, like the web browser built into the router,
but not to Internet hosts.
Other than web browser, have you tried any other network-capable client
to see if you can get Internet access? Have you tried opening a command
shell, and tried either pinging a web site or doing a tracerout to it?
ping www.intel.com
tracert www.intel.com
You don't mention if you tried to connect to both HTTP-only and HTTPS
web sites, or have only tried to connect to HTTPS web sites. No mention
of where you tried to connect. What are the FQDN (fully qualified
domain name), including the protocol (HTTP or HTTPS), to where you have
tried to connect?
Is Internet access paid by you, or by your parents, your employer, or
someone else? If someone else is managing the network setup, could be
they configured the router with its firewall, or another upstream
firewall, as to which devices can connect to it. For example, routers
can often be configured to allow only certain devices by MAC address to
connect to it. Since the computer is new to your network, could be it
was not added to the MAC list of devices allowed to connect to the
router. Can you connect from your host via web browser to the internal
web server in the router? Mine only uses HTTP, so I cannot use it to
ensure HTTPS is working okay from my host. It does let me see if basic
networking via HTTP is working, though. If the router is separate of
your DSL/cable modem, you could bypass the router by disconnecting it
from the DSL/cable modem, and plugging your computer directly to a LAN
port on the DSL/cable modem using a wired connection (while also
bypassing any wifi issues).
Does your router support both IPv4 and IPv6? Some old ones don't
support IPv6. The sites you may trying to connect may only support
IPv6; that is, they have no IPv4 address. We don't know to where you
tried to connect. Also, routers that support both IPv4 and IPv6 may
have different security settings for each addressing method.
Lots of sites are dropping support for old versions of Firefox. The
latest you can get for Windows XP is Firefox 52ESR. You can alter the
UA (User Agent) string the web client sends to the server, but that
won't magically change the web browser to support later features
demanded by many web sites. The old version of Firefox is also not
maintained. You might look into using MyPal. While it was forked off
of Pale Moon which was forked off an old version (pre-52ESR aka
pre-Quantum) of Firefox, it is maintained.
Do you use an anti-virus or other anti-malware program? If so, many
will intercept your web traffic to interrogate its content for malicious
content. With HTTP, it simply operates as a transparent proxy.
However, for HTTPS, a proxy cannot decrypt the encrypted traffic to look
at its content. To do that, AVs use the MITM (Man-In-The-Middle)
hacking trick. The install a root certificate into the global OS
certificate store (in Windows, run certmgr.msc), but they have to also
insert their certificate into Firefox's private certificate store (in
Firefox's, go to about:preferences#privacy -> View Certificates). I've
not found Mozilla explain why they want to wrest cert control away from
the OS to provide their own private cert store. If the AV's cert
doesn't install in Firefox, there is no cert to use with the MITM scheme
where the web browser uses HTTPS to connect to the AV's proxy using the
installed AV's certificate (to do the encryption from proxy to web
client) and to do HTTPS to the server (encryption from proxy to server).
The proxy does HTTPS at both endpoints (web client and server), but
internally the HTTPS traffic gets decrypted, so the AV can inspect the
web traffic.
If the AV's cert doesn't get installed into Firefox, the AV's proxy
cannot do HTTPS using MITM to both the web client and to the server. If
their certificate expires (one of the reasons you need to keep the AV
updated), it cannot be used by the AV's proxy. In either case, the AV
proxy will allow HTTP connects (because no cert is needed for MITM), but
cannot do HTTPS (cert is missing or expired or invalid). You'll find
other web browsers can connect to HTTPS sites, because they use the OS
global cert store (that the AV added when it was installed or updated).
Firefox fails on HTTPS sites when the AV's cert is missing, expired, or
invalid for the copy installed into Firefox's private cert store.
The AV /should/ provide a means to reinstall their cert into Firefox's
private cert store. Alas, not all do, so the only way to fix the
problem is uninstall and reinstall the AV.
I use a stream capture program that uses the MITM scheme, and it
installs their cert into both the OS global cert store (to use with
non-Mozilla web browsers) and their cert into Firefox's private cert
store. When Firefox can no longer connect to HTTPS sites, the software
has an option to reinstall their cert into Firefox's private cert store,
and HTTPS connections work again. One time was due to a change in how
certs can be specified for multiple domains, so the old cert became
invalid, and I had to get a new one. Another time their cert had
expired, so I had to get a new one. Without their cert (in the OS
global cert store for non-Mozilla web browsers, or in Firefox's internal
cert store), the encrypted web traffic cannot be interrogated by the
local proxy doing the capture. I could capture videos from HTTP sites,
but there none that I know of with video content that are HTTP, so most
video content is from HTTPS sites, and where MITM is required to capture
the videos (or to find from that content where are the video sources to
capture from there).
AV's and video stream capture software aren't the only programs that use
the MITM scheme to interrogate HTTPS traffic. However, if their cert is
lost, never installed, expires, or becomes invalid, you can no longer
connect to HTTPS sites. In fact, your web client can't even connect via
HTTPS to their local transparent proxy.
You hint at trying multiple web browsers, but don't mention which.
Since Firefox uses its own private (internal) cert store, so do the
variants of Firefox. Which *non-Mozilla* web browsers have you tried?
Non-Mozilla web browsers (e.g., Internet Explorer, Chrome) use the OS
global cert store.
Without details, responses will be as unfocused as your post is vague.
I did not address the wifi issues since that is a separate topic, and
should be discussed in a separate thread. Besides, the details
regarding your phone and wifi setup are just as vague. I don't know
what you consider a typical wifi hotspot. Many require login to use
them, some are private, and some may require later wifi protocols than
your hardware supports.
Paul
Nov 21, 2021, 7:23:30 PM11/21/21
to
On 11/21/2021 5:13 PM, VanguardLH wrote:
> Lawrence Aracabia <Lawrence...@Aracabia.com> wrote:
>
>> Someone gave me a Windows XP 5.1.2600 laptop that works fine when
>> booting but I can't yet find a browser for it that will connect to
>> the Interbnet.
>>
>> ...
>>
>> My two main questions are really a result of the first problem.
>> (1) How can I get a web browser for that WinXP that works on the
>> Internet?
>> (2) ...
>
> You give no details of what qualifies as no access to the Internet.
This corresponds to the mass dropout of https-only sites,
> Lawrence Aracabia <Lawrence...@Aracabia.com> wrote:
>
>> Someone gave me a Windows XP 5.1.2600 laptop that works fine when
>> booting but I can't yet find a browser for it that will connect to
>> the Interbnet.
>>
>> ...
>>
>> My two main questions are really a result of the first problem.
>> (1) How can I get a web browser for that WinXP that works on the
>> Internet?
>> (2) ...
>
> You give no details of what qualifies as no access to the Internet.
after the recent LetsEncrypt incident. Users view what
they are seeing as "no access to Internet". Which is a fair
description, when suddenly nothing works and you don't know why.
This is not a "ping" style issue, it's a certificate issue
for https usage. And the "HTTPS Everywhere" campaign has
caused a large outage for WinXP users, who are badly in
need of a browser that runs on WinXP and has an up-to-date
certificate store.
There are two levels of issues. Manual repair of a certificate
store, following the instructions on the LetsEncrypt site.
But HTTPS is more than certificates, it's also crypto
algorithms, such as CHACHA20. You can fail to connect
to some sites, because of their fairly picky choice of
crypto. I ran into one site, with TLS 1.3 and only two
crypto choices. A "highest class possible" site,
prepared by some paranoid person. The content on the site,
did not need this, it was a kind of showing off I would guess.
# Analyze a web site, for characteristics. Takes five minutes or less.
# Be patient. Attach the IP as the end argument, as shown.
https://www.ssllabs.com/ssltest/analyze.html?d=www.some.com
# Display the characteristics of the browser, whether you left
# SSL switched on when it should be off. Only TLS should be used.
# This URL never needs to be edited, just plop and use.
https://www.ssllabs.com/ssltest/viewMyClient.html
It you have a traditional failure, it shows in the tray,
as a different icon.
Paul
John Dulak
Nov 22, 2021, 12:37:00 PM11/22/21
to
On 11/21/2021 7:23 PM, Paul wrote:
>the "HTTPS Everywhere" campaign TLS should be used.
Paul:
I knmow what you mean about HTTPS everywhere.
A local radio station offers a streaming service as well as an FM signal. They
recently changed their streaming link to an HTTPS link. I was using an old 486
pc as a music server running Windows 98se and Winamp 5.35 wired into my amp and
end table speakers. The new link;
https://pubmusic.streamguys1.com/wzum-aac
Would not work on Windows 98se but would work on XP. I edited the link to;
http://pubmusic.streamguys1.com/wzum-aac
And 98se worked just fine.
All of which made me wonder just what the point was of using an encrypted link
for something they are giving away for free and even broadcasting!!
Beam me up Scotty! There is not enough intelligent life down here to bother with.
John
--
\\\||///
------------------o000----(o)(o)----000o----------------
----------------------------()--------------------------
'' Madness takes its toll - Please have exact change. ''
>the "HTTPS Everywhere" campaign TLS should be used.
Paul:
I knmow what you mean about HTTPS everywhere.
A local radio station offers a streaming service as well as an FM signal. They
recently changed their streaming link to an HTTPS link. I was using an old 486
pc as a music server running Windows 98se and Winamp 5.35 wired into my amp and
end table speakers. The new link;
https://pubmusic.streamguys1.com/wzum-aac
Would not work on Windows 98se but would work on XP. I edited the link to;
http://pubmusic.streamguys1.com/wzum-aac
And 98se worked just fine.
All of which made me wonder just what the point was of using an encrypted link
for something they are giving away for free and even broadcasting!!
Beam me up Scotty! There is not enough intelligent life down here to bother with.
John
--
\\\||///
------------------o000----(o)(o)----000o----------------
----------------------------()--------------------------
'' Madness takes its toll - Please have exact change. ''
0 new messages