Hello all,
Because of Poodle and all the security vulnerabilities associated with SSL 3.0 and 2.0 and TLS 1.0....we have disabled these protocols on our web server. This is causing problems for customers who have outdated browsers that are still looking for those protocols. Essentially when they click Checkout, the site switches to https and they get kicked out with a "Server Connection Failure." To the customer it looks like there is something wrong with our website when it is really the user's browser that is causing the issue.
How are you dealing with this? We have been addressing it on a case by case basis but our director wants us to put a message on our website for people to update their browsers. The problem with that is that it is the browser kicking them off our site, hence the error is from the browser and we cannot intercept that. Some think that putting a message on the website is pointing out a problem that would be interpreted as our problem. It is inflated by the fact that customers are saying that it only happens on our site which is because we've taken the correct security measures and some other site hasn't done that.
Anybody have any words of wisdom? Have you disabled these protocols?
A couple of thoughts:
- You mention that the customer gets "kicked out" when they click checkout. This would indicate that they are not doing their browsing and login in an HTTPS session. I would recommend that ALL personal data be sent through HTTPS -- from the login page to the order confirmation. This is good practice to begin with, but would also avoid people building a cart and then having all of their time wasted because they can't check out.
- I agree with your director that you should put a message on your site, ideally before the user even gets to the purchase process. Something like "We have detected that you are using an obsolete web browser that is not compatible with present-day security protocols. As a result, we will be unable to securely complete your order. Please consider upgrading to <download link to Chrome/Firefox>, and in the mean time, call the box office to complete your order." This message should come BEFORE they hit the HTTPS pages, so that you never give their browser the chance to error out. You would use some JavaScript to detect the browser and version, and then display a message ONLY if the user's browser is recognized as incompatible.
- On the last item, as a matter of verifying and following up, I would ask the customer what websites they find they ARE able to transact with securely, and then doing some testing and research to see what SSL/TLS versions those sites support (https://www.ssllabs.com/ssltest/). (It looks like Amazon still supports TLS 1.0, which is interesting).
In playing around with that ssltest, there may be slightly more to it. Perhaps TLS 1.0 is okay as long as TLS_FALLBACK_SCSV is enabled? Check out the SSL test for your own server compared to Amazon's and note the differences.
Thank you Nick. We do switch to https as soon as they enter checkout which includes logging in. I like your idea about capturing their browser version so I’ll talk to our developer about that.
From: Tessitura Technical Forum [mailto:forums-technical@tessituranetwork.com] On Behalf Of Nick Reilingh Sent: Monday, June 15, 2015 11:27 AM To: Gloria Ormsby Subject: Re: [Tessitura Technical Forum] Dealing with SSL and Customers Outdated Browsers
From: Gloria Ormsby <bounce-gloriaormsby5026@tessituranetwork.com> Sent: 6/15/2015 10:20:18 AM
This message was sent automatically to you by www.tessituranetwork.com because you subscribed to the Tessitura Technical Forum. You may reply to this message to post to the Technical forum or visit the site to search, read and post to the forums. In the interest of keeping the forum posts from becoming cluttered, we encourage you to delete previous message text from your reply before sending. Thank you!
In case anyone is interested here is a some Java code to detect the browser:
https://browser-update.org/#