You are browsing a read-only backup copy of Wikitech. The live site can be found at wikitech.wikimedia.org

Difference between revisions of "HTTPS/Browser Recommendations"

From Wikitech-static
Jump to navigation Jump to search
imported>BBlack
 
imported>BBlack
(iOS: Update recommendation to iOS 10 (LE Root))
 
(14 intermediate revisions by 13 users not shown)
Line 1: Line 1:
== Network Security Matters ==
<div style="float: right;clear: right;width: auto;background: none;padding: .5em 0 .8em 1.4em;margin-bottom: .5em; ">__TOC__</div>
If you're reading this web page, that means [[:en:HTTPS|HTTPS]] is working on your computer or mobile device. However, that's just a first step. Many older computers, mobile devices and/or web browsers only support outdated cryptographic methods that are becoming insecure in the face of modern attacks. This means that if you use an old web browser, you can still read pages on Wikipedia, but your browsing activity cannot always be encypted in a secure way.


Following the advice below will help you to make sure that you are using the best HTTPS cryptographic methods available today.
Wikimedia encourages its readers to use modern [[:en:web browsers|web browsers]] which support secure internet connections. Below are recommendations for how to update to a modern web browser.


In the future, Wikimedia may require stronger minimum levels of cryptographic abilities from your computer or mobile device in order to access our sites like '''Wikipedia'''. Many other sites on the Internet are (or will be) doing the same. Keeping up-to-date with security updates from web browsers and operating systems will be essential for staying secure and continuing full access to all websites on the Internet.
Many older computers, mobile devices or web browsers only support outdated cryptographic methods that are becoming insecure in the face of modern attacks. Wikimedia will no longer support these outdated cryptographic methods to ensure security against eavesdropping and interferance ([[:en:man-in-the-middle attack|man-in-the-middle attack]]s or [[w:en:Downgrade attack|downgrade attacks]]). Many other sites on the Internet also require (or will soon require) a strong minimum levels of cryptographic abilities from your computer or mobile device. Keeping up-to-date with security updates from web browsers and operating systems will be essential for staying secure and continuing full access to all websites on the Internet.


== Advice ==
== Advice ==
=== For all users ===
=== For all users ===
* Please make sure you have applied the latest security updates to your Operating System and Web Browser. Remember that for most browsers and devices, they will only be updated after you fully close them and restart them.
* Please make sure you have applied the latest security updates to your operating system and have updated your web browser. Remember that for most browsers and devices, they will only be updated after you fully close them and restart them.
* Disable (or uninstall) any 3rd party "Anti-Virus" software.  Most of them do more harm than good when they interfere with your browser's secure connections.<ref>http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html</ref><ref>https://jhalderm.com/pub/papers/interception-ndss17.pdf</ref>
* Disable or uninstall any 3rd party "anti-virus" software.  Most of them do more harm than good when they interfere with your browser's secure connections.<ref>http://robert.ocallahan.org/2017/01/disable-your-antivirus-software-except.html</ref><ref>https://jhalderm.com/pub/papers/interception-ndss17.pdf</ref>
 
=== For users of Microsoft Windows ===
=== For users of Microsoft Windows ===
*'''Windows XP'''
* '''Windows XP'''
** '''If you ''must'' use Windows XP, [https://www.mozilla.org/firefox/organizations/all/ install and use Firefox 52 ESR instead of Internet Explorer] before 2017-10-17 to avoid loss of access to our wikis!'''
** If you must use Windows XP, [https://www.mozilla.org/firefox/organizations/all/ install and use Firefox 52 ESR instead of Internet Explorer] to access our sites.<ref group="n">Our sites no longer allow pageviews from IE-on-XP at all, other than a few minor exceptions like Wikitech itself, the site you're reading now.</ref>
** If possible, please upgrade to Windows 7 or higher, or any other operating system available. Windows XP has '''very serious security flaws'''. Microsoft ended all technical support for this system version in 2014. <ref name="windows-lifecycle-fact-sheet">https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet</ref> Microsoft provides no more security updates for the many flaws which have been discovered in Windows XP and its version of Internet Explorer after 2014.
** If possible, please upgrade to Windows 8.1 or Windows 10, or any other operating system available. Windows XP has very serious security flaws.{{#tag:ref|Microsoft ended all technical support for this system version in 2014.<ref name="windows-lifecycle-fact-sheet">https://support.microsoft.com/en-us/help/13853/windows-lifecycle-fact-sheet</ref> Microsoft provides no more security updates for the many flaws which have been discovered in Windows XP and its version of Internet Explorer after 2014.
** ''Update 2017-08-17:'' More-detailed technical information about removal of IE-on-XP support from our projects by 2017-10-17 is available at [[HTTPS/3DES_Deprecation]]
 
*'''Windows Vista''' - Microsoft no longer supports Vista, and does not provide security updates since April 2017<ref name="windows-lifecycle-fact-sheet"/>.
More-detailed technical information about removal of IE-on-XP support from our projects by 2017-10-17 is available at [[HTTPS/3DES Deprecation]]|group="n"}}
**Advice is the generally the same as XP: You should upgrade to Windows 7 or Windows 10.
* '''Windows Vista'''
**If you cannot upgrade, your best option is to install and [https://www.mozilla.org/en-US/firefox/organizations/all/ '''use Firefox 52 ESR''' instead of Explorer].
** If you must use Windows Vista, install and [https://www.mozilla.org/en-US/firefox/organizations/all/ '''use Firefox 52 ESR''' instead of Internet Explorer] to access our sites.
*'''Windows 7 through 10'''
** You should upgrade to Windows 8.1 or Windows 10.<ref group="n">Microsoft no longer supports Vista, and does not provide security updates since April 2017.</ref>
**Internet Explorer 11 is the '''only''' version of IE that is currently supported by Microsoft. There are no security updates for Internet Explorer 10 and older versions, since 2016.<ref>https://www.microsoft.com/en-us/WindowsForBusiness/End-of-IE-support</ref> These earlier versions also do not have modern HTTPS capabilities. It is highly recommended that you either upgrade to Internet Explorer 11, or the '''[https://www.microsoft.com/en-us/windows/microsoft-edge Microsoft Edge]''' browser.
* '''Windows 7'''
**Alternatively, you can install and use a different browser: [https://www.mozilla.org/en-US/firefox/new/ Firefox], [https://www.google.com/chrome/browser/desktop/ Chrome], or [https://www.opera.com/ Opera].
** If you must use Windows 7, use a supported browser such as [https://www.mozilla.org/en-US/firefox/new/ Firefox], [https://www.google.com/chrome/browser/desktop/ Chrome], or [https://www.opera.com/ Opera].
**Please also ensure you stay up-to-date on security updates from Windows Update, and ensure you regularly upgrade your alternative browser if applicable.
** If you must use the unsupported Internet Explorer 11 on Windows 7, you're able to do so, but you might need to open Settings and click the checkbox to "Enable TLS 1.2" under <em>Internet Options -> Advanced -> (Security section)</em>
** You should upgrade to Windows 8.1 or Windows 10.<ref group="n">Microsoft no longer supports Windows 7 (including Internet Explorer on Win7), and does not provide security updates since January 2020.</ref>
* '''Windows 8.1 and Windows 10'''
** You should upgrade the '''[https://www.microsoft.com/en-us/windows/microsoft-edge Microsoft Edge]''' browser or switch to a different browser such as [https://www.mozilla.org/en-US/firefox/new/ Firefox], [https://www.google.com/chrome/browser/desktop/ Chrome], or [https://www.opera.com/ Opera].
** Please also ensure you stay up-to-date on security updates from Windows Update, and ensure you regularly upgrade your alternative browser if applicable.


=== For users of Apple Mac OS X ===
=== For users of Apple macOS ===
Upgrade your operating system to Mac OS 10.11 (El Capitan) or higher [https://support.apple.com/kb/SP728?locale=en_US if your hardware supports it]. If that is not possible, upgrade to the latest Mac OS release available for your computer, and consider installing an alternate secure browser instead of Safari. Such as [https://www.google.com/chrome/browser/desktop/ Chrome], [https://www.mozilla.org/en-US/firefox/new/ Firefox], or [https://www.opera.com/ Opera].
Upgrade your operating system to Mac OS 10.12.1 (Sierra) or higher [https://support.apple.com/kb/SP742?viewlocale=en_US&locale=en_US if your hardware supports it]. If that is not possible, upgrade to the latest macOS release available for your computer, and consider installing an alternate secure browser instead of Safari. Such as [https://www.google.com/chrome/browser/desktop/ Chrome], [https://www.mozilla.org/en-US/firefox/new/ Firefox], or [https://www.opera.com/ Opera].


=== For users of Apple iPhone, iPad, and iPod ===
=== For users of Apple iPhone, iPad, and iPod ===
Upgrade to iOS version 9 (or higher) [[:en:IOS_9#Supported_devices|if supported on your device]]. If your device is too old for iOS 9, consider a device upgrade. Check to ensure you have the latest version of whatever browser you may use in the App Store.
Upgrade to iOS version 10 (or higher) [[:en:IOS 10#Supported devices|if supported on your device]]. If your device is too old for iOS 10, consider a device upgrade. Check to ensure you have the latest version of whatever browser you may use in the App Store.


=== For users of Android devices ===
=== For users of Android devices ===
Upgrade to the latest version of Android that is possible for your device. Consider a device upgrade if your Android software cannot be upgraded to at least [[:en:Android_KitKat|version 4.4]], which was initially released by Google in 2013. Check the Play Store (or vendor-specific app store) to ensure you've installed the latest updates to core components and the browser (usually Chrome).
Upgrade to the latest version of Android that is possible for your device. Consider a device upgrade if your Android software cannot be upgraded to at least [[:en:Android KitKat|version 4.4]], which was initially released by Google in 2013. Check the Play Store (or vendor-specific app store) to ensure you've installed the latest updates to core components and the browser (usually Chrome).


=== For IT personnel that manage outbound Proxy appliances ===
=== For IT personnel that manage outbound Proxy appliances ===
Line 37: Line 42:
Logs for Wikipedia have indicated that there are many requests from corporate desktop browsers that meet the version requirements of operating system, web browser, and device - but still suffer from downgraded cipher choice when communicating over the Internet due to outdated or poorly configured outbound proxies.
Logs for Wikipedia have indicated that there are many requests from corporate desktop browsers that meet the version requirements of operating system, web browser, and device - but still suffer from downgraded cipher choice when communicating over the Internet due to outdated or poorly configured outbound proxies.


You may use an online tester to check which ciphers are supported by your the browser you are currently using, such as the one provided by [https://www.ssllabs.com/ssltest/viewMyClient.html Qualys (SSL Labs)] or [https://cc.dcsec.uni-hannover.de/ the DCSEC research group at Leibniz University Hannover].
You may use an online tester to check which ciphers are supported by the browser you are currently using, such as the one provided by [https://www.ssllabs.com/ssltest/viewMyClient.html Qualys (SSL Labs)].
 
== Notes ==
{{Reflist|group=n}}


==References==
== References ==
{{Reflist}}
{{Reflist}}
__NOTOC__
 
== See also ==
* [[mw:Compatibility#Browsers]]
 
[[Category:TLS]]

Latest revision as of 19:57, 23 September 2021

Wikimedia encourages its readers to use modern web browsers which support secure internet connections. Below are recommendations for how to update to a modern web browser.

Many older computers, mobile devices or web browsers only support outdated cryptographic methods that are becoming insecure in the face of modern attacks. Wikimedia will no longer support these outdated cryptographic methods to ensure security against eavesdropping and interferance (man-in-the-middle attacks or downgrade attacks). Many other sites on the Internet also require (or will soon require) a strong minimum levels of cryptographic abilities from your computer or mobile device. Keeping up-to-date with security updates from web browsers and operating systems will be essential for staying secure and continuing full access to all websites on the Internet.

Advice

For all users

  • Please make sure you have applied the latest security updates to your operating system and have updated your web browser. Remember that for most browsers and devices, they will only be updated after you fully close them and restart them.
  • Disable or uninstall any 3rd party "anti-virus" software. Most of them do more harm than good when they interfere with your browser's secure connections.[1][2]

For users of Microsoft Windows

  • Windows XP
  • Windows Vista
  • Windows 7
    • If you must use Windows 7, use a supported browser such as Firefox, Chrome, or Opera.
    • If you must use the unsupported Internet Explorer 11 on Windows 7, you're able to do so, but you might need to open Settings and click the checkbox to "Enable TLS 1.2" under Internet Options -> Advanced -> (Security section)
    • You should upgrade to Windows 8.1 or Windows 10.[n 4]
  • Windows 8.1 and Windows 10
    • You should upgrade the Microsoft Edge browser or switch to a different browser such as Firefox, Chrome, or Opera.
    • Please also ensure you stay up-to-date on security updates from Windows Update, and ensure you regularly upgrade your alternative browser if applicable.

For users of Apple macOS

Upgrade your operating system to Mac OS 10.12.1 (Sierra) or higher if your hardware supports it. If that is not possible, upgrade to the latest macOS release available for your computer, and consider installing an alternate secure browser instead of Safari. Such as Chrome, Firefox, or Opera.

For users of Apple iPhone, iPad, and iPod

Upgrade to iOS version 10 (or higher) if supported on your device. If your device is too old for iOS 10, consider a device upgrade. Check to ensure you have the latest version of whatever browser you may use in the App Store.

For users of Android devices

Upgrade to the latest version of Android that is possible for your device. Consider a device upgrade if your Android software cannot be upgraded to at least version 4.4, which was initially released by Google in 2013. Check the Play Store (or vendor-specific app store) to ensure you've installed the latest updates to core components and the browser (usually Chrome).

For IT personnel that manage outbound Proxy appliances

Please ensure you are running the latest stable software release from your vendor, and that you keep up with this regularly. Please also consult your vendor and/or their documentation as to how you may need to configure your outbound proxy to support stronger TLSv1.2+ encryption with Forward Secrecy and AEAD ciphers.

Logs for Wikipedia have indicated that there are many requests from corporate desktop browsers that meet the version requirements of operating system, web browser, and device - but still suffer from downgraded cipher choice when communicating over the Internet due to outdated or poorly configured outbound proxies.

You may use an online tester to check which ciphers are supported by the browser you are currently using, such as the one provided by Qualys (SSL Labs).

Notes

  1. Our sites no longer allow pageviews from IE-on-XP at all, other than a few minor exceptions like Wikitech itself, the site you're reading now.
  2. Microsoft ended all technical support for this system version in 2014.[3] Microsoft provides no more security updates for the many flaws which have been discovered in Windows XP and its version of Internet Explorer after 2014. More-detailed technical information about removal of IE-on-XP support from our projects by 2017-10-17 is available at HTTPS/3DES Deprecation
  3. Microsoft no longer supports Vista, and does not provide security updates since April 2017.
  4. Microsoft no longer supports Windows 7 (including Internet Explorer on Win7), and does not provide security updates since January 2020.

References

See also