April 11, 2014
Changes at Spinitron incompatible with Google Chrome and Internet Explorer on Windows XP SP2
Written by Tom Worster.
The Heartbleed Security Bug
On Monday April 7 2014 the Heartbleed Security Bug was reported. We patched the servers to be sure they were safe from the bug. But, since it is plausible (though unlikely, I think) that someone stole our server SSL key prior to patching, we changed the server keys. This is equivalent to changing your password as a precaution when you think someone might have got hold of it.
Now, when we change keys we have to get the new keys notarized by an authority your browser recognizes. This is a standard process and it uses cryptography. When we got our keys notarized we opted to use a newer, stronger cryptographic algorithm, SHA2, for the notary’s signature. (The old one, SHA1, is being phased out by the computer industry.)
It turns out that Windows XP SP2 (2004) does not have SHA2 while SP3 (2008) does. Firefox has SHA2 built in to the browser but Chrome and IE both rely on Windows to check the notary’s signature. That’s why they can’t connect to Spinitron on XP SP2. And unfortunately neither Chrome nor IE check to see what’s causing the problem and instead assume the notary’s signature is fraudulent or corrupt.
RIP Windows XP
Another big event that hit the computer industry the day after Heartbleed broke:
- “As of April 8, 2014, support and updates for Windows XP are no longer available.”
This is an end of life announcement. XP is dead at the age of 12.
The end of life of XP is a security matter because Microsoft has stopped issuing security updates. This poses an obvious risk for the user but it also creates a public hazard because, among other things, insecure machines risk being recruited into botnets.
What can we do?
To get affected users back into Spinitron there are two basic options:
- Affected users upgrade their systems
- Spinitron downgrades the security of its system
As I understand it, Microsoft is not removing old Windows Updates and SP3 is still available for download. So, in Option 1, affected users can do one of the following to connect to Spinitron:
- Use Firefox
- Update to XP SP3
- Upgrade Windows to a newer version
- Buy a new computer
The first two of these don’t cost any money.
In Option 2, Spinitron and all its users revert to the older, less robust SHA1 algorithm.
At present, we at Spinitron are not disposed towards Option 2. It does not seem like a balanced approach to security. Spinitron logs suggest that the number of members who logged a playlist in March 2014 using XP with SP2 or older is around 2. These users, who presumably stopped using Windows Update 6 or more years ago, have options that ought to be within reach.
Onwards and upwards
We have invested a lot over the years to keep Spinitron’s core features functional all the way back to IE 6 (2001). It’s a struggle but the biggest cost has been the lost opportunity to build on the features of the modern browsers and mobile devices used by the vast majority of Spinitron users. The numbers show that only a very few are holding us back.
It’s time to move on.
We started earlier this year by dropping IE 6 and 7 support on public pages with a new public layout that adapts to smartphones, tablets and big-screen computer browsers.
But we have to plan for IE 8’s demise as well. We expect to see IE 8 decline rapidly, now that XP has been officially put to rest, since there’s no reason to run IE 8 on any newer version of Windows. We’ll firm up and communicate plans on that sunsetting IE 8 in Spinitron later in the year.