Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Problems


  • Please log in to reply
5 replies to this topic

#1 LucidGus

LucidGus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 22 November 2015 - 10:19 PM

Mod Edit:  Split from http://www.bleepingcomputer.com/forums/t/572896/ie7-wont-connect-to-some-secure-websites/ - Hamluis.

 

Hi OP, I'm having the same problem.

 

Recently I started having the "cannot display the webpage" problem under Windows XP SP2 with IE 8 when accessing secure (HTTPS) websites. Actually it started with IE 7, then I updated to IE 8 and the problem persisted, now I'm back to IE 7 again due to several other issues that IE 8 presented.
 
The problem is clearly to do with secure websites. I'm unsure of what changed IE's behavior. Everything was working fine 2 months ago
 
IE7 is using SSL 3.0, 2.0 and TLS 1.0.  Although it sounds logical that secure websites are simply refusing older browsers to connect to them, it's not the case. An enormous percentage of browser users, millions of people worldwide, are still using Windows XP. Websites would have to block users according to their User Agents strings, and I did try changing (faking) my UA string  to no avail. I will try again today with other UA strings and report the results.
 
I tried everything under the sun and the problem still persists. Every HTTPS website, including the many *.google.com websites, is inaccessible, except for maybe 1 or 2 websites, like the Gibson Research website. I can access https://www.grc.com fine with my bugged IE7. I'm really curious if Steve Gibson would know what server configuration in GRC.com is setting it apart from all the other HTTPS websites.
 
I'm a computer scientist and I really tried to go to the core of this problem, and all I could find was that IE7 and the server simply stop communicating after the initial connection to the website. IE8 sends a SSL encrypted message containing a 'Change Cipher Spec Message (20)' and a 'Handshake Protocol: Encrypted Handshake', but no 'Application Data' is included in the packet or sent afterwards in another packet. Both Google Chrome and Firefox at this point send Application Data and the website is correctly loaded. I used a Windows network packet analyzer to check this information.
 
Next thing you see is that IE7 asks the server to drop the connection before any HTML data can be exchanged. It simply closes the connection. Why?
 
Obviously this is one of the trickiest IE bugs, and that is why people are simply dropping IE7/8 and XP altogether. If it wasn't for IE, I bet that a lot more people would be sticking to XP and Microsoft products.
 
* I have no viruses in my system. 
* Command "netsh winsock reset catalog" in cmd.exe -- no avail
* Initialized the HTTP SSL service and HTTP service.
* There is no group policy in gpedit.msc that makes any difference regarding this bug
* Resetting IE settings, changing Advanced settings, didn't make any difference.
* Re-registering DLLs, reinstalling the browser, didn't make any difference.
* Playing with the User Agent string made no difference.
* Used 'Fix IE' utility to reregister all dll & ocx files, which are required for the smooth running of Internet Explorer.
* Made sure the SSL certificates were installed
* From Internet Options> Content, clicked on Clear SSL State.
* Running Compatiblity View enabled for all websites makes no difference
* Running IE with no addons made no difference.
* Messing with registry system tweaks made no difference
* Reinstalling all the Root Certificates made no difference
* No suggested fixes in the Microsoft database makes any difference. Also XP support is over as of 2014.
 

Please guys, try to understand: a lot of us who still use Windows XP use it for a very good reason: productivity. I have 90% of control over my system and a lack of time to switch all of my tools to Win 7.


Edited by hamluis, 23 November 2015 - 12:43 PM.


BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 24,291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 23 November 2015 - 09:13 AM

The first thing I would do is update to SP3 and then get rid of IE and use another browser like FireFox or Chrome. SP2 has too many security issues let alone SP3.

 

If you are worried about updating to SP3 then create a disk image with Macrium Free or Aoemi Backupper first. You would need an external drive for the backup image.


Edited by JohnC_21, 23 November 2015 - 09:13 AM.


#3 LucidGus

LucidGus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 23 November 2015 - 09:51 AM

 Thankfully, I no longer need to use IE.   I already use Chrome and in fact I have integrated Chrome in my Windows XP system through the old Chrome Frame Browser application. Every single website I open with Internet Explorer gets rendered with Chrome Frame instead of Microsoft's Trident rendering engine  I can use Chrome Frame in place of Internet Explorer even with Active Desktop. 

 

I have also replaced one or two SP2 DLLs that have to do with HTTPS and SSL/TLS connections, with the correspondent SP3 ones and the problem persisted. I shall try it again though,  as I may not replaced the right DLL, and certainly the problem isn't related to a DLL but rather to some hidden configuration.  With that said, there is a big chance that installing SP3 would not get the problem fixed either, as not connecting to HTTPS websites is not a bug ,  but something that got changed within my system without my knowledge.


Edited by LucidGus, 23 November 2015 - 10:05 AM.


#4 LucidGus

LucidGus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 24 November 2015 - 05:51 AM

Thank you for keeping the info, mods.



#5 LucidGus

LucidGus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:04:52 AM

Posted 26 November 2015 - 12:56 AM

I finally solved my problem.

Turns out that  installing SP3 did it, JohnC_21 .I didn't install the whole SP3 package but made it as so all relevant SP2 DLLs were replaced with SP3 ones.

SP3 includes new versions of crypt32.dll and rsaenh.dll, both of which can be found in C:\Windows\System32\ .

 

These DLLs have to do with certificate signature validation among other things. The reason why I wasn't able to connect to SOME SSL/TLS websites is because the respective certificates for them were with invalid signatures on my system. Then I found an article advising people to install a hotfix on Server 2003 that updates crypt32.dll and wcrypt32.dll to support SHA2 certificates. Older Windows systems including Windows XP SP2 do not support SHA2 hashing algorithms.

 

https://support.microsoft.com/en-us/kb/938397

 

One website I wasn't able to access was https://www.google.com. using the 'Google Internet Authority G2' intermediate certificate. It could be possible that Google and other servers are now requiring validation of SHA2 certificates as of September of this year due to SHA1 being considered insecure. Thus older systems withotu SHA2 support are now blocked from accessing those websites. Maybe I'll do more research later to confirm this.

 

 

SHA1: Depreciation of SHA1 algorithm scheduled for 2015, 2016, 2017?
 
Microsoft A few weeks ago Microsoft announced its decision to deprecate the use of SHA1 from January 2017 and to replace it by SHA256. All certificates and intermediates signed in SHA1 won't be recognized anymore and will provoke security alerts on all the products of the brand.
 
Windows XP not SHA256-compatible
 
Updating a large computer park can take some time. It is the case in instituations still using machines under Windows XP (with a version of Internet Explorer released before version 7 or under Windows XP SP2-). These OS / Browsers cannot connect to servers using a SHA256-signed certificate. Intermediate solution: Your server, to be compliant with the new security standard will eventually have to use a SHA256-signed certificate. Regarding the user machines still under windows XP SP2 and that cannot be updated quickly, you can still install / use for free software from Mozilla (Firefox browser, Thunderbird email reader...) and access SHA256-secured sites.
 
 
As sites move to SHA2 encryption, millions face HTTPS lock-out 
By Zack Whittaker for Zero Day | October 23, 2015 
 
"We're about to leave a whole chunk of the internet in the past," as millions of people remain dependent on old, insecure, but widely-used encryption."
 

http://www.zdnet.com/article/as-sha1-winds-down-sha2-leap-will-leave-millions-stranded/

 

 

Thank you guys.


Edited by LucidGus, 26 November 2015 - 01:33 AM.


#6 JohnC_21

JohnC_21

  • Members
  • 24,291 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:52 AM

Posted 26 November 2015 - 08:53 AM

Glad you got it sorted and thanks for taking the time to give an update. I would proceed with all the post SP3 updates as soon as possible.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users