Six months or so ago, I dumped Mozilla Firefox in favor of the Pale Moon browser for several reasons: "constant memory leaks, constant interface revisions, the need to support really old hardware, and for some, minor political considerations." (If you hadn't heard about the political considerations, consider yourself fortunate; this was Mozilla's response.) For me, this was an easy migration, what with Pale Moon being essentially a fork of Firefox, based on Firefox code from a relatively stable period. This is not, incidentally, the only Foxalike out there: the Waterfox browser is a Firefox variant designed exclusively for 64-bit Windows.
And all went well at this end until Wednesday morning, when Pale Moon was not allowed to connect to my bank. Literally. "You shall not pass," said their security whatzit. After twiddling settings and getting nowhere in particular, I hit up the bank's Twitter account and asked what gives. Their spokestweeter said they'd pass it off to their IT guys, and eventually came back with a response: "Because Pale Moon is an open source browser, we do not support it. IE, Chrome & Safari are the only supported browsers." Not even Firefox! (And Firefox is, indeed, open source, else there wouldn't be any code forks from it in the first place.)
I was, of course, astute enough to include @palemoonbrowser in the conversation, and they responded: "This is likely a problem with incorrect security setup on the bank's server."
Which is about what I'd concluded, given the fact that my quickie fix paste the IE user-agent string into Pale Moon output for those domains only actually did not work, telling me that it had to be something more than mere browser-sniffing. And this appears to be the truth of the matter:
Connections to secure servers (https) that might have worked prior to 25.0.2 may stop working in 25.0.2 and later. You may get errors like "Connection interrupted while the page was loading", "no cypher overlap" or "ssl_error_bad_mac_read" and similar.
To borrow a chunk of the pertinent Wikipedia article: "The POODLE attack (which stands for 'Padding Oracle On Downgraded Legacy Encryption') is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0." SSL was invented by Netscape, and finding this out, if you ask me, is kind of like finding that the part for which your car is being recalled was first used in a '42 DeSoto; the latest version, 3.0, dates to 1996. It was September 2014, though, before this particular insecurity was revealed to the general public.
The Pale Moon developer continues:
Some https servers will no longer work for Pale Moon as a result of disabling SSL 3.0. This can happen in 2 situations, both need to be addressed by the server operators.
[Emphasis in the original.] What's more, the developer also tweeted a link with that information to the bank, which I of course found gratifying, spiteful creature that I am. Whether anything will be done about it remains to be seen. In the meantime, strictly for bank use, I have blown the dust off a copy of IE 11: Safari is no longer being offered to Windows users, and since I don't have a gun to my head at this moment, I'm not considering Chrome.
| Vent menu |
Copyright © 2014 by Charles G. Hill