[Fed-Talk] Detection of Support of 128 bit Encryption
[Fed-Talk] Detection of Support of 128 bit Encryption
- Subject: [Fed-Talk] Detection of Support of 128 bit Encryption
- From: William Cerniuk <email@hidden>
- Date: Wed, 10 Nov 2004 08:43:37 -0500
ALCON,
Apologies up front, this is long as my report to a major credit card company is attached.
I found that my credit card company had made a change in their web site and subsequently was rejecting most non Windows MS IE 6 browsers. I downloaded their code, analyzed the problem, and provided them a detailed report with an attached solution. They had the site fixed by the time I entered it the following day. I was impressed with their response.
I wanted to relay this to the list for two reasons. 1) this is an example how a major corporation can be very responsive to their customer and 2) here is an easy way to detect 128 bit browser encryption support for the majority of major browsers. IE of course does not adhere to convention and must be handled separately.
Very Respectfully,
Wm. Cerniuk
Wm. Cerniuk
Army CIO/G6/NETCOM/OITS
Technical Manager, Army Homepage
voice/fax : 877.529.5730
email : email@hidden
PS
Their code line count is 58 lines while mine is 9 (12 if I add in the 3 lines for IE browser support detection). ;-)
--------------------------------------------------
Dear MajorCCCompany,
This memo is in regard to your somewhat recent change in your web site which places a boundary on browsers. The web site, as of 27-Oct-2004, restricts access to older browsers based on detecting the client's browser type and version, but unfortunately, incorrectly.
I wanted to bring this to your attention on behalf of other Mac users in the field who may not understand why they get the "Netscape 4.0 not supported" message. You will likely not get many emails regarding this issue but you will generate bad user experiences for as long as the issue remains. In all reality, the fix is trivial an the benefits are significant.
Below/attached is a report detailing the issue, identifying the code, and providing an example of an approach that will fix this issue for the long term.
Respectfully,
Wm. Cerniuk
Wm. Cerniuk
Army CIO/G6/NETCOM/CTO
Technical Manager, Army Homepage
web: http://www.Army.mil
voice/fax : 877.529.5730
email : email@hidden
BLUF:
Sometime in the not too distant past code was added to the MajorCCCompany account services web site (henceforth "the site") to detect and prohibit access to older browsers not supporting 128 bit encryption. A bug exists in the code's algorithm that causes it to incorrectly identifying Apple's Safari and Microsoft Internet Explorer 5.5 on Macintosh, and other browser as Netscape 4.0-4.7. This restricts the vast majority of MajorCCCompany's Macintosh customers from accessing the web site for credit card management functions. It has been verified that the site previously was standards compliant and thus compatible with a number of browsers available for Mac including Safari and MSIE 5.5. It has also been verified that the site is currently compatible with Safari as technical users can bypass the boundary checking code on the site. The code change required to fix this problem borders on trivial and is less time consuming than reading this paragraph.
Recommendation:
It is recommended that the small code change necessary to detect older browsers accurately be effected and thus eliminate this problem for your unsuspecting nontechnical Macintosh users on the web. Code samples and browser User Agent string samples are supplied at the end of this report.
Details:
There is code in place that restricts access to your site based on detection of browser type via the "User Agent" sent from a visitor's browser. From inspection the primary purpose of this code is to identify whether or not the client's browser support 128 bit encryption. This code is located in the HTML output at <https://service.MajorCCCompany.com/cgi/Login?Home >. This code takes the approach of prohibiting all browsers which are not identified directly. As there are many more browsers than MS IE and Netscape, this approach is inherently flawed. Conversely, identifying whether a browser supports 128 bit encryption is easily done by checking the User Agent string for the presence of the indication whether or not the browser is "I" for international or "U" for United States. International browsers use 40 bit encryption. Browsers listing "U" all support 128 bit encryption. Checking for the "U" designation in the User Agent provides clear indication of support of 128 bit (or better) encryption.
Browser Detection Approach:
Because old browsers are not under development, the set of such is relatively small and most especially not growing. The majority of new mainstream browsers implement the latest standards, including and especially 128 bit (or greater) encryption. It may be easier and more browser friendly to let the new or unknown browsers pass into the system. Any browser not complying with standards and specifically not capable of 128 bit encryption will fail to be able to access the page provided the server it is accessing does not support 40 bit encryption or has such turned off. Such a noncompliant browsers will also number far less than compliant browsers which the site currently blocks today.
Detecting browsers directly and correctly identifying the given browser's ability to perform 128 bit encryption puts the onus on the web developers. Using the User Agent string for generic detection of 128 bit encryption support puts the onus of complying with this convention upon the browser developer.
Code:
The code responsible for blocking browsers in the 'page' < https://service.MajorCCCompany.com/cgi/Login?Home> is appended at the end of this document titled as "
JavaScript Source Code:". A suggestion or an example of what could replace this code is presented following the current site's JavaScript code responsible for detection of browser encryption support.
Debugging:
Technical users have the ability with Safari to change the "User Agent" field of the browser to reflect Netscape 7. This means that using Safari, a technical user can trick the site into believing that the browser is Netscape 7.0 instead of Safari 1.2.3. While this is in effect, the site did operate using Safari without issue. Without this in effect, the site incorrectly prohibits access via Safari (or MSIE 5.5 Mac):
You cannot access Online Account Services with your current Web browser.
Possible reasons for this could be one of the following:
* You are using Netscape 4.0 through 4.07, which we cannot support for online account transactions due to security reasons.
* You are using a browser that is incompatible with our Online Account Services system. We suggest Netscape version 4.08 or higher or Internet Explorer version 5.5 or higher. For Macintosh users, we suggest Internet Explorer version 4.5 or higher.
* Your browser does not support 128-bit encryption.
Standards Note:
As the web is based on standards (not defined by a single corporation) and not about particular browsers, these kinds of issues are common. By supporting the standards, and not particular browsers specifically, any web site becomes more available, and will realize a significant drop in end user support issues.
There will sometimes be issues that can only be overcome by browser specific code. Problems such as these are typically related nonadherence to the JavaScript and HTML standards. Most browsers will refine their approach in subsequent versions to correct these types of issues. For example, there are issues with Microsoft Internet Explorer. These issues are eventually fixed over time by Microsoft. For sites that program to the problem, instead of around it, the site in some cases breaks under new MS IE releases. The prudent way to avoid such problems is to provide short 'if IE version 5.5 then' code clauses in the few specific cases required by a site's implementation.
Adherence to standards is ultimately a win for both user and developer as bug work-around code reduces over time while said code supports a wider variety of browsers and ultimately satisfies more users/customers.
JavaScript Source Code:
Current code within the site from < https://service.MajorCCCompany.com/cgi/Login?Home >
---------------------------------------------------------------
// #### cut off Netscape 4.X below 4.08, and double test with layers and user-agent to make sure IE is not cut off
ns4 = (document.layers) ? true:false;
ie4 = (document.all) ? true:false;
minor_browser_version = parseFloat(navigator.appVersion);
agent = navigator.userAgent.toLowerCase();
is_netscape_navigator = ((agent.indexOf('mozilla')!=-1) && (agent.indexOf('spoofer')==-1)
&& (agent.indexOf('compatible') == -1) && (agent.indexOf('opera')==-1)
&& (agent.indexOf('webtv')==-1) && (agent.indexOf('hotjava')==-1));
cutoff_netscape_below = 4.08;
nonCompliant="no";
if ((ns4) && (is_netscape_navigator != -1) && (minor_browser_version < cutoff_netscape_below)) nonCompliant="yes";
else if (!ie4) {
if ((!ns4) && (is_netscape_navigator != -1) && (minor_browser_version < cutoff_netscape_below)) nonCompliant="yes";
}
//#### Check for non-compliant Microsoft Internet Explorer versions- currently less than MSIE 5.5 sp2.
//#### Do this for Windows 98 only.
//#### MSIE 5.5 sp2 defaults to 128 bit encryption, earlier versions do not
cutoff_ie_below = 5.5;
cutoff_ie_service_pack = 2;
ie = false; //initialize switch for browser type
if(navigator.appName == 'Microsoft Internet Explorer')
ie = true;
if(ie)
{
ieIndexVersion = navigator.appVersion.indexOf('MSIE');
if(ieIndexVersion >=0)
{
ieIndexVersion = ieIndexVersion + 4;
ieIndexOperatingSystem = navigator.appVersion.indexOf('Windows 98');
if(ieIndexOperatingSystem >=0)
{
ieVersion = parseFloat(navigator.appVersion.substr(ieIndexVersion));
//#### Check service pack (minor version) if 5.5 #### Service Pack 2 is okay, anything below that is not
if(ieVersion == 5.5)
{
ieMinorVersionIndex = navigator.appMinorVersion.indexOf('SP');
if(ieMinorVersionIndex >= 0)
{
ieMinorVersionIndex = ieMinorVersionIndex + 2;
ieMinorVersion = parseFloat(navigator.appMinorVersion.substr(ieMinorVersionIndex));
if(ieMinorVersion < 2)
nonCompliant="yes";
}
}//end if ieVersion == 5.5
if(ieVersion < 5.5)
{
nonCompliant="yes";
}//end if version < 5.5
}//end if ieIndexOperatingSystem
}//end if ieIndexVersion
} //end if ie
---------------------------------------------------------------
Code recommended to identify browser support for 128 bit encryption:
---------------------------------------------------------------
theUserAgent = navigator.userAgent
isMSIEBrowser = theUserAgent.indexOf("MSIE") > 0
if( isMSIEBrowser ){
// insert code to set supports128BitEncryption here based upon IE version 5.5 (or greater) detection
}
else {
supports128BigEncryption = (theUserAgent.indexOf("U;") > 0 || theUserAgent.indexOf("U)") > 0 );
}
---------------------------------------------------------------
Reference:
- Documentation
Javascript, from Netscape, standardized by the ECMA Specification
http://www.js-x.com/javascript/core_js15/intro.php
Definitive JavaScript Book
http://www.webreference.com/programming/javascript/definitive/
Apple's Safari
http://www.apple.com/safari/
- Browser List
Camino
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.5b) Gecko/20030917 Camino/0.7+
Chimera
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.1) Gecko/20021104 Chimera/0.6
DocZilla
DocZilla/1.0 (Windows; U; WinNT4.0; en-US; rv:1.0.0) Gecko/20020804
Epiphany
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040628 Epiphany/1.2.6
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030703 Epiphany/0.8.4
FireFox
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20041002 Firefox/0.10.1
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.6) Gecko/20040206 Firefox/0.8
Mozilla/5.0 (X11; U; NetBSD i386; en-GB; rv:1.7) Gecko/20040708 Firefox/0.9.1
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7) Gecko/20040619 Firefox/0.9
Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.5) Gecko/20031007 Firebird/0.7
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5a) Gecko/20031002 Mozilla Firebird/0.6.1
Mozilla/5.0 (X11; U; SunOS sun4m; en-US; rv:1.4b) Gecko/20030517 Mozilla Firebird/0.6
Galeon
Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6) Gecko/20040406 Galeon/1.3.15
iCab
Mozilla/4.76 (Macintosh; I; PPC)
K-Meleon
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031016 K-Meleon/0.8.2
Mozilla
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20020924 AOL/7.0
Mozilla/5.0 (Windows; U; Win 9x 4.90) Gecko/20020502 CS 2000 7.0/7.0
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.5b; MultiZilla v1.5.0.2g) Gecko/20030827
Netscape
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.0.1) Gecko/20020921 Netscape/7.0
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.2) Gecko/20030208 Netscape/7.02
Mozilla/5.0 (X11; U; FreeBSD 5.0 i686)
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2
[Mandrake Linux below]
Mozilla/4.77 [en] (Win95; U)
Omniweb
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US) AppleWebKit/85 (KHTML, like Gecko) OmniWeb/v558.48
Opera
Mozilla/5.0 (X11; Linux i386; U) Opera 7.60 [en-GB]
Opera/7.60 (Windows NT 5.2; U) [en] (IBM EVV/3.0/EAK01AG9/LE)
Opera/7.50 (X11; Linux i686; U) [en]
[note the lack of indication, no encryption on ME]
Mozilla/4.0 (compatible; MSIE 6.0; Windows ME) Opera 7.11 [en]
Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC) Opera 5.0 [en]
Proxomitron
[X denoting no encryption]
Bison/0.02 [fu] (Win67; X; SK)
Safari
Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en) AppleWebKit/124 (KHTML, like Gecko) Safari/125.1
HP Secure Web Browser
Mozilla/5.0 (X11; U; OpenVMS AlphaServer_ES40; en-US; rv:1.4) Gecko/20030826 SWB/V1.4 (HP)
Sylera
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.5) Gecko/20031007 Sylera/1.2.7
---------------
IDZap - plug-in to defeat browser identification
Mozilla/3.01Gold (Macintosh; I; 68K)
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden