Breaking Changes in Major Web Browsers / Web Hosts
Posted by Jeff Williams, Dev Team Mgr on May 8, 2017
If you suddenly started having issues with websites (corporate/intranet/other) and/or have integration systems that have stopped working, read on as these issues might be the cause. Let us know if you need assistance, email us at Support@Crestwood.com and one of our experts can help.
- SHA1 / HTTPS issues
Starting back in February, both Google and Mozilla pushed updates to their browsers (Chrome/Firefox) that fully depreciated the SHA1 encrypted certificates. Microsoft plans to do this same update mid-year for Internet Explorer and Edge. This went into effect with Chrome version 56 and Firefox in version 51.
Technical Explanation: Secure websites (HTTPS) are encrypted using an SSL certificate. These SSL certificates are created using various SSL versions / methods, one of which is SHA1 / TLS 1.0. A few years ago, this encryption type was identified as having a flaw and was easily exploitable. While the major certificate provider companies have already moved on from SHA1 many internally signed certificates and/or long-term certificates are still SHA1 based.
Result: With the update to these browsers, any site the user visits that is still using an SHA1 certificate is now flagged as “Not Secure” which results in various issues (nasty warning to the users, various callbacks disabled, etc.)
Corrective Action: The web site must be upgraded to utilize a newer certificate type (SHA256 / TLS 1.2 the most common) to be fully supported by both Chrome and Firefox (and eventually IE)
- Web Services / DOTNET (Development / Software issue)
Technical Explanation: In response to the above item and pressure from Microsoft with recent Windows server updates, many service companies have disabled the ability for their websites to accept SHA1 encryption. While browsers themselves have already taken steps to correct this, the change does effect dotnet-based applications leveraging web services. The challenge that exists here is that in all current versions of dotnet (2.0 – 4.6.2) the default encryption is SHA1. Steps must be taken in the application code to leverage anything higher. In addition to this, up until dotnet 4.5.1, SHA1 was the only allowed type supported.
Result: Applications that utilize web services will stop functioning as soon as the provider puts this change into effect.
Corrective Action: This is a twofold correction. First, to continue to function all applications need to be upgraded to utilize at least the 4.5.1 framework. Second, the application must also be reconfigured to recognize higher versions of SSL encryption.
- Chrome Security Changes
In addition to the change in security, Google has taken extra steps starting in Chrome 56 and more in 57 that are causing other issues.
- Mixed “HTTP” / “HTTPS” sites are now marked as insecure – this means calls from an HTTP page (non-secure) to an HTTPS page (secure) will be disabled. Login pages many times utilize this.
- Any site that captures login information or credit card information (or chrome ‘thinks’ it is) from a non-secure page will be disabled. Chrome will no longer capture/submit these types of fields without user intervention.
- 3rd party plugins are now being handled as less secure and sites that utilize them need to be added explicitly to chrome’s exception list. This particularly effects “Adobe Flash” in chrome. Any site that utilizes a flash plugins (or others) must be added to “Exception” list or chrome will not allow the plugins to function - This is a major issue for sites (such as salesforce) who utilize flash plugins for various functionality.
- HTTPS required notification
Both Google and Mozilla have announced that by the end of 2017, ALL sites that are non-secure (HTTP) will be marked as such and have limited functionality. If you notice anyone still using HTTP for their websites, we need to recommend that they obtain a certificate and utilize HTTPS for this site.
If you have further questions, email us at Support@Crestwood.com