Ummm. That’s only the XML. Please, Avast is an IT-sec company. Shouldn’t have such basic errors. It’s 16 years into the 21st century, SSL is broken beyond any miraculous cure and has long been replaced by TLS. But a SHA1 certificate? Please!
Yes, I can use another browser. Problem: none of them have hi-sec settings, Pale Moon because I haven’t bothered, Opera is too old, and IE… (OK, IE can be toughened up, a lot. I should, really.) And none of them are as nice to use as K-M.
OK, I’ll admit that it’s actually sites invoked by the blog page that have problems, but OTOH, why does Avast permit linking/usage of such poorly secured sites?
Avast may well be the strongest link in this chain, but it’s the weak links that will permit an attack on browsers. IMHO it’s Avast who should lay out to the servers linked that they are required to upgrade their security sometime yesterday in order to stay in contract. Usage of the services implies approval of their poor practices.
FWIW, I junked my mobile phone contract with a major carrier for failing to ensure a secure connection to their out-sourced invoice server. (The subsequent upgrade is probably not my fault.) I was not penalised for breaking contract.
which ensure that SSL in a non-SSL browser will fail and break the page. I’m actually not surprised here, since Opera v12.17 (in my sig) dates from 2014.
I have not yet looked to see what Pale Moon has, and we all know that IE comes from a different planet.
cleared the caches on my other browsers and lit them up. And got exactly the same results as my first post above on all browsers.
Frankly, I am surprised Avast allows to utilise out-source components with substandard security. This is simply not good enough. IT-sec is IT-sec, it’s done properly or not at all.
I don’t use the Avast browser, but I wonder if it would masticate the blog page the way K-M did? It’s only a few settings, even non-geeks can work it out:
security.fileuri.strict_origin_policy;true [i](default in KM76RC)[/i]
security.ssl.require_safe_negotiation;true
security.ssl.treat_unsafe_negotiation_as_broken;true
}
}all rc4 and des cyphers;false
}
security.tls.unrestricted_rc4_fallback;false
And TBH most of those settings today should be default, the percentage of sites that would break would be in the order of 5% at most, probably less.
The good news (for me anyway) is that I can read the blog in safety. Almost all threats that could come from that page have been neutralised. And I do have to say this is the only page I have ever seen that shatters so comprehensively with my not-very-advanced settings.