USPS.com requiring modern browsers starting back in April
-
Just noticed this red banner message on usps.com while checking shipping status: ALERT: AS OF APRIL 30, USPS.COM NO LONGER SUPPORTS OUTDATED BROWSERS. TO CONTINUE ACCESS, YOU MAY NEED TO UPGRADE YOUR BROWSER. There's a Read More link that took me to a page saying my browser was ok.
I know it's apparently been online for a while now but I just noticed the message. Anybody know why this effort now? Are particular types of vulnerabilities making this common from now on? Is it just some security person with not enough other work to do?
-
@mikehurley They probably finally caught on to that time I had to use Firefox Dev Tools to disable the broken validation code on their online change-of-address form, and think the site got "hacked".
-
I recently tried to apply for a credit card. Attempting to use the latest version of Chrome or Firefox just sent me to a page telling me that I need to update my browser. Internet Explorer was the only browser I tried that worked.
I decided I really don't want to do business with someone that fucked up.
-
@mikehurley said in USPS.com requiring modern browsers starting back in April:
Anybody know why this effort now?
Almost all API-based services are moving to TLS1.2 only. UPS has been in the "we're shifting to TLS1.2" for a couple years now. So have most payment providers.
Seems that this year they're actually serious about cutting off access to non-TLS1.2 enabled browsers.
-
@lorne-kates Yes I realize I said UPS there, but USPS too. Everyone who is PCI compliant.
30 June 2018 is the deadline for disabling SSL/early TLS and implementing a more secure encryption protocol – TLS 1.1 or higher (TLS v1.2 is strongly encouraged) in order to meet the PCI Data Security Standard (PCI DSS) for safeguarding payment data.
-
@lorne-kates said in USPS.com requiring modern browsers starting back in April:
PCI compliant.
-
@el_heffe said in USPS.com requiring modern browsers starting back in April:
@lorne-kates said in USPS.com requiring modern browsers starting back in April:
PCI compliant.
Everyone who wants to keep paying the PCI tax to get their "compliant" sticker & juice box.
-
@lorne-kates we have to, can't do Mastercard and Visa without that sticker
-
@sockpuppet7 said in USPS.com requiring modern browsers starting back in April:
@lorne-kates we have to, can't do Mastercard and Visa without that sticker
only because ur slave to FIAT bullshit have u heard of cryptocur
-
Maybe they're dropping support for IE 4?
-
@ben_lubar said in USPS.com requiring modern browsers starting back in April:
Maybe they're dropping support for IE 4?
Seriously, IE 10 doesn't support TLS 1.2 without a tweak
-
@sockpuppet7 said in USPS.com requiring modern browsers starting back in April:
@lorne-kates we have to, can't do Mastercard and Visa without that sticker
We self-declare (SAQ) for our PCI compliance status. When we used an external company all they did was run a copy of SAINT against our infra anyway.
-
@zemm said in USPS.com requiring modern browsers starting back in April:
@ben_lubar said in USPS.com requiring modern browsers starting back in April:
Maybe they're dropping support for IE 4?
Seriously, IE 10 doesn't support TLS 1.2 without a tweak
It sure was fun dealing with GitHub turning TLS <1.2 off when you develop in .NET and TLS 1.2 is disabled by default for reasons nobody has adequately explained to me so far.
-
@lorne-kates said in USPS.com requiring modern browsers starting back in April:
@sockpuppet7 said in USPS.com requiring modern browsers starting back in April:
@lorne-kates we have to, can't do Mastercard and Visa without that sticker
only because ur slave to FIAT bullshit have u heard of cryptocur
-
@ben_lubar said in USPS.com requiring modern browsers starting back in April:
when you develop in .NET and TLS 1.2 is disabled by default for reasons nobody has adequately explained to me so far.
Because Microsoft 100% follows standards and TLS 1.2 is just a thing everyone else in the industry made up with their brain aliens. Also, it isn't a failing of TLS 1.2, it's bad hardware drivers.
-
@ben_lubar said in USPS.com requiring modern browsers starting back in April:
It sure was fun dealing with GitHub turning TLS <1.2 off when you develop in .NET and TLS 1.2 is disabled by default for reasons nobody has adequately explained to me so far.
I thought that was only below a certain framework version (4.6?), and that above that it worked out of the box?
-
@unperverted-vixen That's what the documentation says. The reality is that you need to manually set it in
ServicePointManager
even in newer versions. And they declined to make it an app.config setting, so we have to do it in source code like some sort of neanderthal!
-
@twelvebaud said in USPS.com requiring modern browsers starting back in April:
@unperverted-vixen That's what the documentation says. The reality is that you need to manually set it in
ServicePointManager
even in newer versions. And they declined to make it an app.config setting, so we have to do it in source code like some sort of neanderthal!Unfortunately, the compat team has higher standing than the security team at Microsoft.