By Glenn Fleishman
October 15, 2014 11:11 AM PT
The Untimely Death of IE6
[Glenn Fleishman is the editor and publisher of The Magazine, which is currently crowdfunding an anthology of the best work of its second year in publication. He writes regularly for the Economist, Boing Boing, and Macworld, and tweets incessantly—oh why won’t he stop?—at @glennf.]
On the Internet, nobody knows you’re a dog, unless you’re a poodle, and then everyone is talking about you. The latest massive security exploit affecting a large swath of websites is called “Poodle,” and has to do with backwards-compatible support for secure connections between browsers and web servers. An attacker watching browser/server connections can effectively “sidejack” a connection, stealing an authentication cookie that would allow access to an active session.
That dog’s gonna hunt: It may finally be the thing that sends ol’ Internet Explorer 6 to a farm upstate, if you know what I mean.
In March 2012, Microsoft baked a cake for IE6: not to celebrate an anniversary, but cheer at its vastly shrunken marketshare. Arguably the worst version of IE that the company ever released, it remained in broad use many years after its introduction because it was part of Windows XP, which is both the most widely pirated and most heavily used legacy edition of the operating system.
But IE6 won’t die. In China, its usage still represents over 10 percent of web visits; in most other countries, it’s below one percent. Weighted by all desktop users, however, Microsoft (using Net Applications data) pegs IE as 3.8 percent of global use. With hundreds of millions of desktop computer users worldwide, this translates to tens of millions of IE6 users.
In America, despite the very low usage rate of IE6, many companies have clung to Windows XP because they built in-house apps that continue to work and lack the budget, time, or potentially knowledge to upgrade without breaking them. Even though IE8 would be the correct choice for the last-patched version of XP, IE6 is the standard.
Because of the numbers, websites cannot give up on IE6, especially sites that serve global audiences. Ask any web designer about it, and despite tools like Modernizr, they will still throw up their hands about the workarounds they have to employ to keep IE6 users happy. They represent an economic force, even as Microsoft has put Windows XP to its final death, no longer offering ongoing support for most users. (Corporations still have options.)
Poodle may finally put IE6 to death, because IE6 can only use modern web security protocols in a Windows XP system that’s been upgraded to Service Pack 3 or 4.1 You may know the secure web protocol used for HTTPS sessions as SSL (Secure Sockets Layer), a technology originally developed by Mosaic Communications (Netscape’s creator), and off patent for a few years now. Its replacement (in 1999!) was called TLS (Transport Layer Security), which has been continuously developed and improved, with the last major release in 2008 (TLSv1.2). Security experts often refer to TLS or TLS/SSL for clarity.
When a browser connects to a server securely, it has to do a little protocol dance, in which the browser and server discuss what kinds of encryption and other methods they have available, and agree on the most-compatible one—i.e., the oldest (or worst) one that both support, as it’s the lowest-common denominator between the two. (I wrote broadly about this problem of crufty old software and hardware with the insight ACLU’s Chris Soghoian for Boing Boing a few weeks ago.)
Despite the introduction of TLS in 1999 and the fact that the last verson of SSL (SSLv3) was released in 1996, web servers generally have continued to support SSLv3 to this day because it’s the latest version that IE6 supports.
The Poodle exploit kills SSLv3. There’s no way to fix it; it can only be disabled in web servers. You can read cryptographer Matthew Green’s technical explanation of how the exploit works, but there’s no mitigation. The protocol has to be abandoned. As he notes, “Note that this entire vulnerability stems from the fact that SSLv3 is older than Methuselah. In fact, there are voting-age children who are younger than SSLv3.”
I immediately disabled SSLv3 as an option on all the servers I operate or help administer. (For Apache users, in the SSL configuration file or section, modify the line that starts
SSLProtocol to read in full
SSLProtocol All -SSLv2 -SSLv3; if the line doesn’t exist, it needs to be added. If you use another server or have no idea what I mean, get an admin or host’s help. Test your site at Qualys.)
It’s likely that IE6 users around the globe who need to make secure connections to servers outside their control will see a lot of failures today. Government agencies often support the oldest browsers (because they are used internally for far too long or because of marketshare among the public), but given this weakness, have little choice.
Keeping SSLv3 alive renders all IE6 users vulnerable to session hijacking by people in a coffeeshop on the same network or governments or other parties that have access to traffic at higher-level networks. Disabling SSLv3 puts IE6 to its sweet and final rest, and upgrades the Internet’s security by a few notches.
Cloudflare, an attack-resistent content-distribution network, says of all Windows XP connections, 98.8 percent are using TLS. However, because Windows XP SP3 and SP4 can run IE7 or IE8—and all versions can run other browsers—and because pirated copies of XP aren’t always patched, the intersection of IE6 users and older XP users has a strong crossover. ↩
[If you appreciate articles like this one, help us continue doing Six Colors (and get some fun benefits) by becoming a Six Colors subscriber.]