Hank Sims / Monday, Feb. 29, 2016 @ 4:56 p.m. / Housekeeping
PROGRAMMING NOTE: Enjoy the Green Lock of Security in Your Lost Coast Outpost URL Bar! Unless You’re on a 15-Year-Old Computer
Last night the Outpost checked a major item off its do-before-you-die bucket list by fully embracing the “HTTPS Everywhere!” philosophy. Anytime you hit the Outpost now, you are forced over to the new, encrypted version of our site, the one that makes it difficult-to-impossible for anyone snooping on your communications to intercept information passed between you and the LoCO.
Logging into DISQUS at a cafe? You may be certain that the creeper at the other table is not sidejacking your credentials, nor sniffing your cookies, nor touching your communications with the Outpost in any way at all. Interested in more detail? See writeups here and here and here, etc., etc.
You should see, on every page you visit on the Outpost, the comforting green lockdown icon in your URL bar. The big boys – Google and Facebook and Twitter and the like – have been forcing all traffic over https:// for a while now, and the Outpost is very pleased to join their ranks. Apart from the added security, this move allows us another mostly invisible upgrade: Now that we’re forcing encryption we can take advantage of the supercharged HTTP/2 protocol, which means that the Outpost continues to get quicker and quicker.
You can call us late to the party on all of this, and that would be partly true. In our defense, though, we are not as late as some. (Cough cough hack gack blargh retch dead. And it’s not just the little guys: Even the New York Times has failed to get on board.)
Now for the downside. So far, two of you have written to us to say something like: OMG your website is trying to hack my computer! My computer won’t let me visit your site anymore because it thinks you’re going to malware me or something! You’re scaring me!
This confused us at first. Every third-party test we’ve run shows that we’re absolutely golden. Here’s our stellar “A” rating from the industry-standard Qualsys SSL Labs test. Here is the wall of green check marks, indicating total compatibility with all major browsers, from the SSL Shopper SSL Checker. Go ahead and test our HTTP/2 chops over at KeyCDN; everyone but hardcore ALPN aficionados are going to like what they find.
Finally, though, we figured out what was wrong. The people who have contacted us with problems are all, so far as we can tell, running Windows XP.
Windows XP was an operating system released by Microsoft in the year 2001. That year – 2001 – is a full 15 years before 2016, which is the year we are in now.
Folks, if we may be blunt, here: The problem is not that our site is dangerous. The problem is that your computer is too old and feebleminded to even get that it is ultrasafe. Your computer is looking at a string of numbers it cannot comprehend and it is throwing up its floppy arms like the “Danger, Will Robinson!” robot, with which it is roughly contemporaneous.
This theory is verified by the people around the awesome Let’s Encrypt project, which the LoCO is using for encryption certificates because it is fast and easy and free. Short story: Any browser you’re using on XP apart from Firefox is going to pull this stunt on you, because every browser except Firefox relies on outmoded Windows encryption libraries to do its heavy lifting.
We took a look back at the last 30 days of Outpost traffic, and discovered a shocking figure. The two people who wrote us are not alone. All told, 0.9 percent of Outpost visitors are still rocking the X to the P. Of those, half are on Firefox. So we’re looking at about 0.45 percent of Outpost visitors who woke, this morning, to a new world – a world in which the Outpost seems to want to kill them.
This hurts us. So we have two alternatives.
The first, best alternative is this: It is time, friends. Your grandkids have been telling you that you need to upgrade for many years now, and you need to take this as a sign from the universe that they have turned out to be correct. There are infinite reasons to upgrade – security not least among them – but more and more websites are going to be moving to Let’s Encrypt, so expect more and more of those uncomprehending red alerts from your browser window as time passes.
Second: Can’t stand to part with your beloved XP? Get Firefox – the browser that can at least ensure that your encrypted communications on the modern web are, in fact, encrypted.
Is anyone not on XP having problems? It seems unlikely, but let us know in the comments.
Everyone else: Welcome to a faster, more secure Lost Coast Outpost!