My browser breaks the blog page

I use K-Meleon, a fault-intolerant Gecko fork, currently v76RC (see sig below).

I tried to access the Avast Blog.

https://www.dropbox.com/s/e85ce8ss4h814jl/BestHTTPSprotection.png?dl=1

A bit sad :frowning: 8) What’s wrong?

https://www.dropbox.com/s/hrxgb9r1jya18rd/ErrorConsoleXML.png?dl=1

Er… ???

Ummm. That’s only the XML. Please, Avast is an IT-sec company. Shouldn’t have such basic errors. It’s 16 years into the 21st century, SSL is broken beyond any miraculous cure and has long been replaced by TLS. But a SHA1 certificate? Please!

Yes, I can use another browser. Problem: none of them have hi-sec settings, Pale Moon because I haven’t bothered, Opera is too old, and IE… (OK, IE can be toughened up, a lot. I should, really.) And none of them are as nice to use as K-M.

Gordon.

Looks like K-Meleon is not detecting things correctly.

SHA1 used ?
Wrong, SHA2 is used.

SSL used ?
Wrong again.
TLS is used.

Opera old ?
Opera version 37 released 4 may 2016
Latest (final) for K-Meleon is from 19 September 2015
Hmm guess which browser is old :stuck_out_tongue:

Did you look in my signature?

OK, I’ll admit that it’s actually sites invoked by the blog page that have problems, but OTOH, why does Avast permit linking/usage of such poorly secured sites?

Avast may well be the strongest link in this chain, but it’s the weak links that will permit an attack on browsers. IMHO it’s Avast who should lay out to the servers linked that they are required to upgrade their security sometime yesterday in order to stay in contract. Usage of the services implies approval of their poor practices.

FWIW, I junked my mobile phone contract with a major carrier for failing to ensure a secure connection to their out-sourced invoice server. (The subsequent upgrade is probably not my fault.) I was not penalised for breaking contract.

Have you tried opening it in Opera ?
https://blog.avast.com/

I’ve tried it in every browser I have. Opera opens it quite fine, but Opera does not seem to have any equivalent of the moz-prefs

security.ssl.require_safe_negotiation
security.ssl.treat_unsafe_negotiation_as_broken

which ensure that SSL in a non-SSL browser will fail and break the page. I’m actually not surprised here, since Opera v12.17 (in my sig) dates from 2014.

I have not yet looked to see what Pale Moon has, and we all know that IE comes from a different planet.

Gordon.

OK, an update. I entered all the SSL-secured links into my host file:

127.0.0.1       cdn2.hubspot.net
127.0.0.1       js.hs-analytics.net
127.0.0.1       static.hsstatic.net
127.0.0.1       js.hscta.net
127.0.0.1       no-cache.hubspot.com

and a couple of other supects:

127.0.0.1       platform.twitter.com
127.0.0.1       ton.twimg.com
127.0.0.1       o.twimg.com

cleared the caches on my other browsers and lit them up. And got exactly the same results as my first post above on all browsers.

Frankly, I am surprised Avast allows to utilise out-source components with substandard security. This is simply not good enough. IT-sec is IT-sec, it’s done properly or not at all.

I don’t use the Avast browser, but I wonder if it would masticate the blog page the way K-M did? It’s only a few settings, even non-geeks can work it out:

security.fileuri.strict_origin_policy;true [i](default in KM76RC)[/i] security.ssl.require_safe_negotiation;true security.ssl.treat_unsafe_negotiation_as_broken;true } }all rc4 and des cyphers;false } security.tls.unrestricted_rc4_fallback;false

And TBH most of those settings today should be default, the percentage of sites that would break would be in the order of 5% at most, probably less.

The good news (for me anyway) is that I can read the blog in safety. Almost all threats that could come from that page have been neutralised. And I do have to say this is the only page I have ever seen that shatters so comprehensively with my not-very-advanced settings.

Gordon.