Six months or so ago, I dumped Mozilla Firefox in favor of the Pale Moon browser for several reasons: "constant memory leaks, constant interface revisions, the need to support really old hardware, and for some, minor political considerations." (If you hadn't heard about the political considerations, consider yourself fortunate; this was Mozilla's response.) For me, this was an easy migration, what with Pale Moon being essentially a fork of Firefox, based on Firefox code from a relatively stable period. This is not, incidentally, the only Foxalike out there: the Waterfox browser is a Firefox variant designed exclusively for 64-bit Windows.

And all went well at this end until Wednesday morning, when Pale Moon was not allowed to connect to my bank. Literally. "You shall not pass," said their security whatzit. After twiddling settings and getting nowhere in particular, I hit up the bank's Twitter account and asked what gives. Their spokestweeter said they'd pass it off to their IT guys, and eventually came back with a response: "Because Pale Moon is an open source browser, we do not support it. IE, Chrome & Safari are the only supported browsers." Not even Firefox! (And Firefox is, indeed, open source, else there wouldn't be any code forks from it in the first place.)

I was, of course, astute enough to include @palemoonbrowser in the conversation, and they responded: "This is likely a problem with incorrect security setup on the bank's server."

Which is about what I'd concluded, given the fact that my quickie fix — paste the IE user-agent string into Pale Moon output for those domains only — actually did not work, telling me that it had to be something more than mere browser-sniffing. And this appears to be the truth of the matter:

Connections to secure servers (https) that might have worked prior to 25.0.2 may stop working in 25.0.2 and later. You may get errors like "Connection interrupted while the page was loading", "no cypher overlap" or "ssl_error_bad_mac_read" and similar.

This is caused by 25.0.2 disabling the SSL 3.0 protocol for secure connections.

Why was SSL 3.0 disabled?

To be brief: because it is no longer secure and can be abused for Man-in-the-Middle attacks. By its popular acronym it's known as POODLE, and you can find information about it on the web.

To borrow a chunk of the pertinent Wikipedia article: "The POODLE attack (which stands for 'Padding Oracle On Downgraded Legacy Encryption') is a man-in-the-middle exploit which takes advantage of Internet and security software clients' fallback to SSL 3.0." SSL was invented by Netscape, and finding this out, if you ask me, is kind of like finding that the part for which your car is being recalled was first used in a '42 DeSoto; the latest version, 3.0, dates to 1996. It was September 2014, though, before this particular insecurity was revealed to the general public.

The Pale Moon developer continues:

Some https servers will no longer work for Pale Moon as a result of disabling SSL 3.0. This can happen in 2 situations, both need to be addressed by the server operators.
  1. The server only supports the SSL 3.0 protocol. This is pretty bad, but can happen with misconfigured or particularly old servers. TLS has been around for a long time, and should have been enabled a long time ago.
  2. The server does support TLS, but doesn't support TLS 1.2 and has secure renegotiation disabled. Once again, not supporting TLS 1.2 means that the server software should be upgraded to a recent version (any modern version of web server software will support TLS 1.2 and its more secure ciphers). The other problem, the lack of secure renegotiation, is something that is likely left over from the SSL/TLS gap a long time ago, where, for a time, it was recommended to disable this as a temporary workaround while software was updated. It seems that server operators have never disabled this workaround that is, at most, a crutch and not a solution for a now no longer applicable problem.

[Emphasis in the original.] What's more, the developer also tweeted a link with that information to the bank, which I of course found gratifying, spiteful creature that I am. Whether anything will be done about it remains to be seen. In the meantime, strictly for bank use, I have blown the dust off a copy of IE 11: Safari is no longer being offered to Windows users, and since I don't have a gun to my head at this moment, I'm not considering Chrome.

The Vent

  1 November 2014

 | Vent menu | E-mail to Chaz

 Copyright © 2014 by Charles G. Hill