• Replies 3 replies
  • Subscribers 72 subscribers
  • Views 90 views
  • Users 0 members are here
Related

Web browser security and TLS changes

Christina Cone
$organization

Hello.

In response to the changes made regarding early TLS in February, has anyone added a browser detection/update warning on their website to encourage patrons to upgrade if needed? Or taken some other kind of approach?

I've been looking at code here: http://browser-update.org/. But I don't really know if this is a trust-worthy source...Comments or suggestions welcome!

Thanks,

Christina Cone
Berkeley Repertory Theatre

Parents
  • $organization

    For FTC's website I added a banner that gets removed via a script hosted by our TNEW site. Easy enough to load it over HTTPS. The banner has a link to Qualys' browser page.

    I had also played with the idea of using a CSS property from a staticfile hosted on our TNEW site but just landed on implementing the script as a stop gap before doing that.

    Looking quickly you could link to https://tickets.berkeleyrep.org/_script/fullcalendar/fullcalendar.css and place a banner with the class fc-state-disabled on your site easy enough.

Reply
  • $organization

    For FTC's website I added a banner that gets removed via a script hosted by our TNEW site. Easy enough to load it over HTTPS. The banner has a link to Qualys' browser page.

    I had also played with the idea of using a CSS property from a staticfile hosted on our TNEW site but just landed on implementing the script as a stop gap before doing that.

    Looking quickly you could link to https://tickets.berkeleyrep.org/_script/fullcalendar/fullcalendar.css and place a banner with the class fc-state-disabled on your site easy enough.

Children
  • $organization in reply to Christopher Sherwood

    Hi, Christopher.

    Thanks for your reply, and please excuse my delayed reply. Would you be willing to share the script you use for FTC with me?

    Thanks,
    Christina (ccone@berkeleyrep.org)

  • $organization in reply to Christina Cone
    The script relies on a file hosted on our TNEW site and is really hackish.
    here is something similar for Berkley Rep's site (wrote this in pure JS because the BR site doesn't load jQuery correctly over HTTPS)
    This should work (again it's a bit hackish and only wait's 1s for a response from the TNEW site):
    var head = document.head,
        link = document.createElement('link');
    window.TLSChecked = false;
    window.TLSCheck = function(){
        if(window.TLSChecked) return false;
        var element = document.createElement('div')
        body = document.body;
        element.style = "width:100%; height:1em; padding:1em; font-size:24px;background:red;text-align:center;";
        element.id = "TLS-Check";
        element.innerHTML="BROWSER DOESN'T SUPPORT TLS OR TNEW IS DOWN";
        document.body.insertBefore(element,document.body.childNodes[0]);
    }
    link.type = 'text/css';
    link.rel = 'stylesheet';
    link.href = 'https://tickets.berkeleyrep.org/_script/fullcalendar/fullcalendar.css';
    link.onload = function(){window.TLSChecked = true};
    window.setTimeout("TLSCheck()",1000);
    head.appendChild(link);
    To test failure just put in an incorrect URL:
    var head = document.head,
        link = document.createElement('link');
    window.TLSChecked = false;
    window.TLSCheck = function(){
        if(window.TLSChecked) return false;
        var element = document.createElement('div')
        body = document.body;
        element.style = "width:100%; height:1em; padding:1em; font-size:24px;background:red;text-align:center;";
        element.id = "TLS-Check";
        element.innerHTML="BROWSER DOESN'T SUPPORT TLS OR TNEW IS DOWN";
        document.body.insertBefore(element,document.body.childNodes[0]);
    }
    link.type = 'text/css';
    link.rel = 'stylesheet';
    link.href = 'THIS WILL FAIL';
    link.onload = function(){window.TLSChecked = true};
    window.setTimeout("TLSCheck()",1000);
    head.appendChild(link);


    [edited by: Christopher Sherwood at 4:19 PM (GMT -6) on 6 Jun 2016]