There’s been a disturbance in the force



Welcome, Guest \| Home \| Search \| Login \| Register


Author	There’s been a disturbance in the force (Read 57744 times)
Johnny7 64 MB Posts: 78 System 7 Newcomer!	on: December 31, 2024, 19:20 There’s been a disturbance in the force So, about 10 days ago, I got a message from Mozilla regarding using the newest version of Firefox. In my case it was on Win7 using FF V53 (which I’ve been using since that version came out) stating that unless I update to FF V155.x.x ESR, I would lose some website(s) functionality. Whatever, I ignored it. Then, a couple of days ago I noticed that many websites I visit simply would no longer render anything even though they would connect (ARGG, JS!). Java Script? Not necessarily so. In that FF screen message, using FF53 on Win7, also stated, “THERE ARE SOME MAJOR ROOT CERTIFICATES THAT ARE BEING ELIMINATED FROM THE INTERNET AND YOU WILL LOSE SOME WEBSITE FUNCTIONALITY” . Of course, it didn’t state which ones. I updated to FF V155.x ESR and all is well. Matter of fact, all my other Win7 and Intel Macs using FF have been updated to V115.x ESR for quite some time. Well, I decided to check if these eliminated root certs affected iCab. In short, YES!. I simply get blank screens in some sites I used to visit with iCab. Specifically, GitHub. I checked iBrowse for Amiga, same. However, Amiga uses AmiSSL which is an external commodity and updated at least quarterly (however, AmiSSL has not been updated in months and is currently affected somewhat). I haven't checked InterWebPPC or AquaFox. So, what’s my point? For at least iCab (I’m using V2.9.9 - 2006), if older versions of iCab are not maintained for the latest SSL Root Certs (and TLS) they will simply stop working all together someday. iCab’s website states there are no updates for V2.9.9. I know, I know, I know, move along soldier, nothing lasts forever. But this is a major shift in SSL and will affect a lot of platform browsers. THIS IS JUST AN OBSERVATION. I haven't checked with Mozilla or even googled anything yet. Also, why am I posting this on S7T? Because ya'll seem smarter than the average bear here and might be interested, no way am I'm going to post on an Amiga site and this seems to be a recent SSL change. This also may be old news to some. A possible explanation... https://knowledge.digicert.com/general-information/digicert-g5-root-and-intermediate-ca-certificate-update Happy New Year S7T! 😁

cballero 1024 MB Posts: 1179 System 7, today and forever	Reply #1 on: January 01, 2025, 18:49 Thanks for that report, Johnny7! Tech transitions can be the worst, especially when they affect retro systems like the ones we use; things like this just underscore these eventualities. Hopefully, the impact won’t be too severe (which usually means relying on workarounds to get things working properly, at least to some degree, again)

wove 1024 MB Posts: 1363	Reply #2 on: January 01, 2025, 19:14 On newish Linux and BSD/Unix systems it is often possible to update certificates without needing to update the applications or system. For instance using Apple's Keychain application it is possible to export certificates MacOS 12 and imported them into them into MacOS 10.6. This does not help with display or rendering, but at least gets rid of the annoying messages about expired certificates. This might be something of interest to the increasing number of folks programming on the Classic MacOS, perhaps a script/application could be written to pull certificates from a newer browser and move them into an older browser. I have no clue if that is even possible and I am not a programmer. When I have been a position where updating certificates has been desirable, I have always just found directions online and followed them. Those directions have always been for Linux and BSD/Linux/MacOSX systems.

Bolkonskij Administrator 1024 MB Posts: 2023	Reply #3 on: January 02, 2025, 14:14 The root of the problem lies in the fact that TLS/SSL in your average Mac OS application is a library you'd add to your project and compile it with. The Amigans have it as a separate system extension (AmiSSL) with the beauty of being able to simply swapping it out. In contrast, on Mac OS you'd need the sources and recompile them. And even then I'm not sure if there's an updated SSL library. I think somebody put up an updated version somewhere a few years ago, but I never followed along since then. But let's take a step back and ask: why? Why do we need this overhead for each and every site these days? The whole point about the web was for information to be open & accessible for everybody. If you do not have a transactional page where you need to protect sensitive data, why add the bloat? I've written up my thoughts on why I don't enforce SSL on Cornica and what I feel the implications are. We should educate people on the matter - your average blog does not need encryption, despite what Big Corp. Inc. tells you. It doesn't make your page "safer" per se. Again, read what I wrote on Cornica. I'd also like to point to an overlooked matter - if I issue certificates and in effect decide who is "secure" and "legit", that's a very powerful weapon to wield. I can destroy businesses by rendering them "unsafe" for example. I'm not saying that was the intention behind creating it. But I say that history teaches us that if a system can be corrupted, it certainly will be.
Last Edit: January 02, 2025, 14:22 by Bolkonskij
ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #4 on: January 03, 2025, 06:05 I strongly believe in modularity, which apparently isn't a word, according to my spellchecker. But with anything that relies on working nicely with others (others being other computers, programs, and/or parts/peripherals), I make sure to make those parts separately, whether it's hardware or software, for this very specific reason... for upgradability (ok spellcheck, chill out!). Or at least having the option/ability to add functionality through importing stuff, like web browsers that have the ability to import new security. I argue that obsolescence by design is unethical, and should not be adopted. Old stuff continues to work, and work, and work. Obviously things happen and sometimes something breaks, but if it's made right, it can be repaired. There is no (good) reason to force customers to stop using a well-designed good product (corporate greed is not a good reason). No, I don't expect companies to offer support for old products forever. But there are more than a few scenarios in which a company or person has something that works perfectly fine, and there is no reason to change it. Forcing them to get rid of it is just evil and wasteful. Just because something is "old" doesn't mean it's crap, nor that they MUST buy something new. The widespread act of an organization going out of one's way just to stop things from working, like with old computers, should be resisted by everyone. It is discrimination. Things should be preserved.

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #5 on: January 03, 2025, 08:26 Quote from: Bolkonskij The Amigans have it as a separate system extension (AmiSSL) with the beauty of being able to simply swapping it out. In contrast, on Mac OS you'd need the sources and recompile them. "In contrast"? I mean, that Amigan approach sounds 100% like the Mac approach. (Like almost everything Amiga -- it's always good to copy good design!) That aside, having a system extension handle HTTPS (rather, SSL/TLS) as opposed to leaving it to the browser is... certainly interesting. Should be doable for the Mac, as well. If only there was a need for it, that is: we not only already have Crypto Ancienne 2.2 on MachTen to achieve the same, we also generally want to blacklist sites to begin with that bar people up artifically via HTTPS. If a site has it, and someone can't access it, then the user ought to realize it's a good riddance, for the user! Use something else. In fact, with that happening, it creates the opportunity for someone to take it over with a non-HTTPS replacement, be it plain HTTP, Gopher or anything else.

cballero 1024 MB Posts: 1179 System 7, today and forever	Reply #6 on: January 03, 2025, 15:53 I get calls, texts and emails asking me if an HTTP website is secure or not, and even though they seem to get it, they do seem to be wary of the warnings they get; people get conditioned to trust their system’s warnings, for better or worse; I totally get their hesitance due to this conditioned trust, but it’s so annoying to see older sites being bullied this way for “non-compliance”

lauland 512 MB Posts: 674 Symtes 7 Mewconer!	Reply #7 on: January 07, 2025, 23:02 At work we are currently discussing dropping TLS 1.0/1.1 and RC4 for our servers. This is unrelated to the certs issue this post was about, but related to dropping support of older browsers/devices. Sadly it means (in the very least) that old versions of Safari won't work, it looks like MacOS X 10.8 and older. Several older versions of FireFox and Chrome also. In our vintage world, I don't really know how, or if, this affects "alternate" browsers like the various mutant ports of FireFox. Of course us real nerds are still using plain old http...only with sites we trust, of course!

cballero 1024 MB Posts: 1179 System 7, today and forever	Reply #8 on: January 08, 2025, 08:02 Quote from: Lauland Of course us real nerds are still using plain old http...only with sites we trust, of course! You mean like this one, right?

68040 512 MB Posts: 950 68k - thy kingdom come, thy will be done !	Reply #9 on: January 08, 2025, 13:12 Quote from: Jatoba ... we also generally want to blacklist sites to begin with that bar people up artifically via HTTPS. A tiny minority blacklisting the huge majority will surely result in an unparalleled story of triumph success! Being flexible and nimble was never my thing.
Last Edit: January 08, 2025, 13:13 by 68040
ClassicHasClass 32 MB Posts: 39	Reply #10 on: January 08, 2025, 15:47 Quote In our vintage world, I don't really know how, or if, this affects "alternate" browsers like the various mutant ports of FireFox. TenFourFox has been TLS 1.3 capable for quite awhile, and the same by extension for things like InterWebPPC, though I do need to update the root certs again (should be okay for the time being).

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #11 on: January 08, 2025, 15:53 @68040 You dropped the second part from your luggage: Quote from: Jatoba [...] In fact, with that happening, it creates the opportunity for someone to take it over with a non-HTTPS replacement, be it plain HTTP, Gopher or anything else. And, yes, a single person making a better decision does improve all of his/her surroundings. It's like a snowball. Where do you think so many great websites, including the one you typed that message in, came from? Certainly not from people thinking the way you do, that much is a guarantee, and a reassurance!

cballero 1024 MB Posts: 1179 System 7, today and forever	Reply #12 on: January 08, 2025, 16:48 Quote from: Jatoba And, yes, a single person making a better decision does improve all of his/her surroundings Beautifully said! This has been my motivation for so many things; small sacrifices of convenience over surrendering control to giants: I don’t mind being the little guy out there who doesn’t back down from a larger fight for the freedom and independence of having a choice to not swim downstream with the rest of the masses. Kind of what I loved about Macs from jump street in the first place

ShinobiKenobi 256 MB Posts: 362 System 7 fan	Reply #13 on: January 12, 2025, 03:50 I don't know about anyone else, but I don't want my passwords floating around the mean, cruel, and dangerous internet in plain text. It might sound like I'm joking, calling the internet that, but that's what I learned. What I'm legitimately curious about is: are people really OK with someone sniffing your password, logging on as you, and posting or doing things you would never do? Changing your info so that you can't recover your accounts? I'd love to hear other thoughts on this.

Jatoba 256 MB Posts: 270 System 9 Newcomer!	Reply #14 on: January 12, 2025, 08:03 @ShinobiKenobi HTTPS is good, but only where it makes sense to have it, such as in the example you mentioned. That is what @Bolkonskij said, too: Quote from: Bolkonskij If you do not have a transactional page where you need to protect sensitive data, why add the bloat? The issue is if you have an HTTPS site without any of that, no data sent from you to a server, or non-sensitive data is sent to the server. Those sites should be exclusively HTTP, as HTTPS/SSL/TLS add overhead and slows things down on any system for ZERO gain that can be deemed beneficial for the visitor, the server and the running computer. For sites that do handle sensitive data, however, you still will want both HTTP and HTTPS: the latter for privacy and security reasons, the former for faster & better login-less lurking, browsing and consumption of services (e.g. downloads). E.g. People should be able to read forums and browse software catalogs like the Garden even if they are not logged in, case in which they absolutely don't need HTTPS. (If you login, though, better use the HTTPS version, unless if you are a wild cowboy who is not very concerned about the issues you mentioned.) The only kind of website that is justifiable as HTTPS-only is, exclusively, those which require, for good reason, some form of identification to make use of it, such as banking. Those obviously require some form of encryption to get protection from a "general" attacker. (You are still vulnerable to the certificate-issuing so-called "authorities" themselves, plus other spying backdoors, local malware yadda yadda, which is why such sensitive matters are BEST dealt NOT over the wire in the first place. HTTPS doesn't actually give you true privacy, nor protection, but only mitigates ONE part of the problem.)

	Pages: [1] 2

© 2021 System7Today.com.
The Apple Logo, Macintosh™, Mac OS™, and others property of Apple Computer, Inc.
This site is in no way affiliated with Apple Computer, Inc.