My iphone 4 will not log in as it can not establish a secure connection.
Is there any way I can update my iPhone 4 to establish a secure connection to the server?
Or is it now actually obsolete?
Or does everyone else’s work OK and I am doing something wrong?
I do have a more up-to-date phone but it is sometimes convenient to be able to use EE instead of O2 and the compact size is an advantage too: so the obvious suggestion of upgrading is actually no help. Any alternatives.?
73,
Rod
Edit:- Settings indicates that the OS is up-to-date with iOS 7.1.2
My old Iphone stopped logging in too. I was told on here that it just was no longer possible with those older phones. So I inherited Mrs P’s newer phone - after checking that it logged into the SOTA sites I use - and she upgraded to an even newer phone.
Web security moves forward and some devices are left behind by the companies (without a plan b )
That and planned obsolescence are sad outburst of “modern” lifestyle.
The crazy fact is that the hardware and battery life expectancy far exceeds the software life expectancy and support for many products. BlackBerry 10’s also fall in the category of not working to the new security standards with no support to upgrade the BlackBerry Software. I have an iPad2 the version of IOS on that also does not work to the new security.
I have a Samsung Galaxy Note 2 that runs Android 4.4 (circa 2014) the default browser does not work to SOTAwatch but if you use the Google Chrome browser it does work for SOTAwatch. How much longer it will work remains to be seen.
Some things come as a surprise. I recently loaded Office 2000 onto a Windows 10 machine. Despite some protestations during the loading the Office 2000 appears to work even if it is not supported.
So there is no guessing on what is compatible with what !
Most of these problems are the deprecation of older security standards which stopped being secure. The no-longer-secure software standards are dropped and as long as you can update your devices to the latest standards then there is no problem. In the case of a number of older devices, the manufacturer no longer supports them and so there are no software upgrades to the new standards available. It’s not just Apple that this affects but they are one of the most obvious because of their “walled garden” approach to what software they will allow you to install. Blackberry no longer make phones so no longer support them.
Experience shows that the only way to get some people to stop using insecure software is to no longer allow it to connect to anything. If we allowed insecure protocols to access SOTA because SOTA is a hobby then sadly, some users would continue to use the insecure software to access important services such as banking etc. So it becomes a brutal “you can’t do that anymore” fix to the security issues and that sadly makes a number of devices useless. You either have to upgrade to continue to access services or do without, no half-measures.
One the next big shutdowns is the closure of 3G networks. This will affect older phones as when there is no 3G they will switch back to 2G and there is a lot less capacity on the remaining 2G networks with much slower data throughput. I am surprised that Mrs. FMF’s old Sony Experia phone which is 7-8 years old and 2G/3G only still takes a licking and keeps ticking, it still has acceptable battery life. She has grown attached to the device and was upset she’ll have to upgrade it soon.
I’m a terrible magpie but have collected up all the phones in the house that really need to go to recycling. There 4x 2G only, 4x 2G/3G multiband, all work but 2 have dead batteries… I still have 3 Android 4g phones in use! 11 phones in 21 years is not very green. It’s why the 4G Android phones are still being used and will be for as long as possible.
If this is a relatively recent thing, this is due to LetsEncrypt changing the certificate chain they use for signing SSL certificates. The older systems do not have this chain installed and will reject the SSL secure connection. LE are issuing a reasonable percentage of all SSL certificates these days so this will impact a lot of sites on ancient devices.
I believe there’s a workaround on some systems to import the certificate chain, but it’s likely quite onerous on Apple products. Google should be able to help.
It’s not a certificate chain issue : it relates to deprecated cipher suites used for encryption of the https channel.
Websites are advised to drop support for the deprecated suites to preserve security. This blocks access to devices/browsers that don’t have more modern cipher suites available. Same applies to outdated PC browsers as well.
All perfectly true, but this zealous approach tends to ignore security economics. Most of the supposedly “broken” cipher suites still require significant resources to break a specific instance. For a start, for an SSL weakness to be exploitable, the attacker needs to be able to intercept the encrypted traffic in the first place. GCHQ (wlog) may have no problem with that, but mostly it is quite hard to read, let alone modify, somebody else’s network traffic. Having got the traffic, even a “weak” cipher is likely to need substantial compute power to decrypt (it was “strong” a few years ago, remember). I think it is fair to say that it is not plausible that anybody would put such effort into reading SOTAwatch traffic, and it wouldn’t do them much good if they did.
The same argument applies a fortiori to attempts to mount a man-in-the-middle attack to alter the traffic.
I would expect my bank’s web site and anything handling sensitive personal data to insist on the latest security standards, but I venture to suggest that it would do no harm, and much good, for a hobby site to continue to allow the older cipher suites. Of course that may not be possible if the security zealots have actually deleted the code, but quite often you find that they have merely changed the default options and it is possible to restore support for legacy cipher suites in a configuration file. Newer clients should still negotiate the stronger suites, so they are no worse off.
To be fair, the hosting instance we use has disabled all non-Forward Secrecy ciphers, but kept all the usual FS ciphers available. Given there’s been practical attacks shown on non-FS ciphers I think that’s reasonable, and given TLS1.3 requires it, it’s not going away.
We only get an A on SSLTest instead of an A+, as a consequence.
(I agree that SW traffic is not going to be an issue, but given I can’t say the same about SSO given potential password reuse, we’re going to run into the problem eventually)
Given the number of issues I am seeing in schools ( primary ones not hoacker hotbeds … ) where resources have been trashed due to a security flaw I think we ought to do as much as possible to keep the systems safe. It does not make sense to me why someone would want to “break” our systems, but then again it does not make sense why someone would deliberatly tune up over a sota station… …t it also does not make sense why someone would encrypt a server with kids work on it … Unfortunatly they did…
I’m sure they are now operating on the basis of automated searching for hackable sites, regardless of the content, and then checking out what they have succeeded with, so everyone is vulnerable.
I run a small website for a photo club and the volume of hack attempts is astonishing. I am very hot on applying server and app patches, as well as having daily backups in place. It takes work, but it’s probably worth it to avoid the pain.
I think there is a fairly widespread and slightly dangerous misconception here. The cryptographic security we are talking about here does nothing to make a site safe or secure or protect it from attackers. The transport layer security we are discussing does two things:
It enables the client to be confident that it has connected directly to the intended server, provided that the certificate verification is done correctly
It secures the traffic from being read or modified by an eavesdropper at an intermediate point on the network.
If either the client or the server are already compromised, all bets are off. If the site itself has a vulnerability (such as a SQL injection flaw) then transport layer security does nothing to protect it from exploitation by a malicious client.
I am glad I asked the question
The answer appears to be “yes” - but I can still read pages that don’t require a login and it still does email, sms and works as a phone too.
Thanks for the very varied answers. There appears to be a bit of a can-of-worms here but it is taking me to a bit of IT I never got to grips with when I worked in the field. A lot happens in nearly 20 years.
Any bets on how long I have with the iPhone 7?
73,
Rod
It’s was released in 2016 so it is already a 5 year old design. It’s already obsolete in phone life terms. Use it till you can’t. Dump it, buy another, lather, rinse, repeat.
True, but (in the context of this thread) it’s only a problem if the administrators actually log in from an old device using the weaker crypto. And they don’t use 2FA etc etc.
