I hate gratuitous encryption

[ManaUser]

Back story: I'm using an old version of Firefox, because the new versions suck and I haven't got around to moving everything over to Pale Moon or whatever.

Well more and more lately, I've been getting locked out of websites with "ssl_error_no_cypher_overlap" messages. But the funny thing is I never have this problem with Amazon, my web host, my Bank, shady Russian bitcoin exchanges or anything else where security would be important. No, it's always on sites that are encrypted for no good reason.

Most recently, xkcd.

[Zohar]

So you're concerned about security... but you're using an old browser?

[ManaUser]

So you're concerned about security... but you're using an old browser?

No. That's my point. I have am completely unconcerned about the possibility of my xkcd viewing habits being spied on. Mainly because they wouldn't be.

Perhaps this will illustrate better: This forum, the only part of xkcd.com aside from the store which has any use for encryption at all, is not encrypted. I mean, I wouldn't really care if someone stole my account here, but maybe some people would. So at least there would be a vague justification. But Randal apparently decided the main page, where there is absolutely no personal information is too sensitive to risk letting someone view it without encryption, or even with outdated encryption. Because obviously the NSA is going to work really hard to find out what I've been downloading from xkcd every couple days. Only the best will do.

[Zohar]

I'm not a website admin, but I find it much more likely that it's best practice to use modern encryption, and since the main website is regularly updated, someone bothered to do so, as opposed to the forums, which get a lot less traffic and are somewhat-forgotten and don't get updated often at all.

Still, you should consider updating your browser. Using outdated software is how people get their data hijacked.

[Thesh]

Major sites tend to be the most lax on security, generally because of the number of visitors leads to a noticeable tech support cost. You should upgrade your browser (or at the very least disable insecure cipher suites) for that reason alone.

[Flumble]

Randall hates botnets so he doesn't allow people with insecure systems to enjoy his comics.

Just how old is your version of Firefox that it doesn't accept TLS 1.2 with the allowed cipher suites? Even bloody FF31 is able to visit xkcd and that's browsing with a live grenade (see all the red stuff since FF31, including multiple code execution bugs)

Also what Thesh says.

As far as I know there's currently no real reason to stop TLS 1.1 support on a server, so the admin of the xkcd domain could enable it for compatibility. But there's less reason not to support TLS 1.2 in a browser these days.

[commodorejohn]

Encryption is basically just a way for browser vendors to strong-arm people into upgrading, when you get right down to it.

[Soupspoon]

(I remember when Netscape was actually a paid-for thing. But a lot of datagrams have passed across OSI layer 3 since those days, and a supplier of an entirely non-inventorial good, gratis, sort of precludes being a 'vendor'. But I digress. I've lost track of the business model used by browsers, these days, but can only imagine lies somewhere between Big Data and For The Geeky Love Of It, depending upon the brand.)

There are some times when a server should enforce best practice, and there are times when the right to have an overly lax client (for any one of a number of reasons, with varying degrees of actual necessity and legitimacy) should not be infringed.

My instinct is that it was a back-end upgrade that even Randall (or his back-end team) didn't realise was going to exclude any old stuff, but came along with everything else the actual back-back-end maintainer never considered testing against minority browsers. And look at some of the monstrous User-Agent strings, used to maintain full backwards/sideways compatibilities. I wouldn't be surprised if someone didn't want to burn it all down to the ground and 'nudge' the technoluddites.

As a technoluddite myself, in many ways, I feel the pain. As an occasional security professional, it would be nice for the lowest common denominator to be at least recently elevated...

[ManaUser]

Yes I know I should upgrade. I will sooner or later. And as much as it irks me it's probably going to be this (not xkcd, but this problem in general) that forces my hand. And yes I'm using a really old version... Firefox has sucked for a long time.

I can understand drooping support obsolete encryption. But all of that is really kind of secondary. It's only a specific example of how gratuitous encryption became a problem for me. What I don't understand is why it became popular to make encryption mandatory on non-sensitive websites. Clear text is not obsolete. I mean if you want to make https available for people who just think it's cool, want to add to the encrypted background noise for political reasons or whatever, that's fine. But why not leave http available too?

Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

[commodorejohn]

Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

Hahaha, if web designers did that, who would they look down their noses at while sipping their gluten-free mocha chai soy milk lattes over their Macbooks/Chromebooks?

[Flumble]

Maybe this is only my personal ideal, but I always kind of figured the goal would be to make your site accessible to as many people as practical.

Hahaha, if web designers did that, who would they look down their noses at while sipping their gluten-free mocha chai soy milk lattes over their Macbooks/Chromebooks?

What have you been smoking? Most 'web designers' use tons of frameworks to make a site look the same in a large variety of browsers and versions, including shitty, broken, insecure browsers like Internet Explorer 8. If everyone would just use an up-to-date browser, website developers would only have to use standardized features and could use all of the currently standardized features, which makes sites so much cleaner, smaller, more readable, more efficient and everything would be sunshine and lollipops (until ads come into play).

Encryption is basically just a way for browser vendors to strong-arm people into upgrading, when you get right down to it.

When you get right down to it, browser vendors can't (I guess for google and apple it's "won't") waste time to update ancient versions of their browser with new cryptography methods. Also what's the point when the people using those versions don't bother updating anyway?

[commodorejohn]

What have you been smoking? Most 'web designers' use tons of frameworks to make a site look the same in a large variety of browsers and versions, including shitty, broken, insecure browsers like Internet Explorer 8.

That used to be the case. Now the trend (as far as I'm observing) is towards redirecting every page on the site to a single "fuck you for not using our preferred browser" page if you're on anything less than the second-to-latest version of (pick any three) IE, Firefox, Safari, Opera, or Chrome (and actually it really only works properly on Chrome anyway.)

[doogly]

Why on earth should a web developer support a browser longer than people who publish the browser themselves?

[ManaUser]

Why on earth should a web developer support a browser longer than people who publish the browser themselves?

Depends on what you mean by "support". If you mean extensive testing to verify every page renders correctly in a specific old browser, then no that's probably not worth it. If you mean taking a few basic steps to ensure minimal functionality for old browsers in general, then a better question is "why not?".

Leaving http available when there's no good reason why a page needs encryption would definitely come in latter category.

[doogly]

Why on earth should a web developer support a browser longer than people who publish the browser themselves?

Depends on what you mean by "support". If you mean extensive testing to verify every page renders correctly in a specific old browser, then no that's probably not worth it. If you mean taking a few basic steps to ensure minimal functionality for old browsers in general, then a better question is "why not?".

Everyone is going to die, and our time is our most precious resource. "Why not?" is the easiest question to answer - there is something else you'd rather do. An unsupported browser is not "still kind of minimally supported if I don't do anything fancy." It means you go into the wild world without support. Maybe it "just works," which is always great, but if things require any basic steps at all, those steps would constitute "support."

[commodorejohn]

Man, I don't even care if developers don't want to bother putting time and effort into supporting my choice of browser - I'd just appreciate it if they didn't go out of their way to screw me over for it.

[Mike Rosoft]

Well, I have asked Randall, and he told me that he has been investigating which browser you personally have been using and intentionally installed a certificate which your browser doesn't support.

Seriously: Sometimes old things stop working. Deal with it - time to upgrade. A new version of Firefox is free, and so is Pale Moon if you don't like the changes that Firefox has been making.

[LaserGuy]

Also mass encryption makes everyone safer. It creates a kind of herd immunity against phishing sites and malware.