Browsers and web applications have a very interesting relationship in how the two applications communicate to each other, especially if they are communicating securely. For secure conversations, initially there’s a conversation between the two applications (the browser and the server) on how they‘re going to talk to each other or better yet what language they are going to speak. Once that’s decided, the two can begin a conversation after they both know how the data is going to be protected. While the conversation is going on, both parties agree on how the data will be protected and secure the information on the agreed upon method (this is done with a private and public key).
From my brief explanation, there are a couple of vulnerabilities:
- The initial conversation about how the two applications are going to protect the data could be weak.
- The method of how the data is going to be protected or secured could also be an issue.
As of late, Mozilla Firefox 37 and above have made steps in the browser to protect users from accessing sites that may have potential weaknesses. So what does this look like to the user?
You may have run across the following message while using the latest Firefox browser:
This is an example of Firefox blocking vulnerability #1. This could happen to you even though you’ve used the web site a ton of time previously. Or you may have experienced the following error when clicking on “WebStar”, accessing your class roster, or trying to add/drop a course:
This is the browser blocking vulnerability #2. Firefox is not happy about how the data is being secured and as a result dropping communication between WebStar and the browser. We (District I.S.) and our vendor are currently working on a solution to resolve this issue. The problem arose when Firefox automatically updates and these new security features are yet supported by the vendor’s software.
Our vendors aren’t able to crank out software, documentation, and educate their customers as fast as Mozilla or Google, for Chrome users. The truth be told, browser developers are extremely efficient and agile making it much easier for them to produce new versions of software rapidly. They move faster than the rest of us. We are dependent upon the configurations and software that we’ve purchased and implemented from our vendors to provide services. If these products don’t support the changes that browsers have implemented, it creates a constant need to play catch up with browsers. This isn’t to say the district isn’t working on these issues, we are. We have cases open with our vendors, in addition to testing and trying new implementations for how we deliver services, providing feedback to our vendors, and keeping the district community informed as we are trying to resolve these issues. We hope to have a solution in place shortly.
The changes in the browsers don’t only affect MyGateway/WebStar, they affect all web applications, so if you happen to run across one of the above messages, the best thing to do is to try another browser until we get these issues resolved with our vendors.
**NOTE: These issues have been resolved as of 9/9/2015. If you are having a TLS error, please close your browser and retry your request. Thank you!
**NOTE: These issues have been resolved as of 9/9/2015. If you are having a TLS error, please close your browser and retry your request. Thank you!
Fun Reading for the Holidays
For more information on the issue with Mozilla Firefox see Bug 1084025 - Disable insecure TLS version fallback.
For more information on the issue with Google Chrome see Issue 498998: Removing TLS 1.0 version fallback support.
Mozilla Firefox - Phasing Out Certificates with SHA-1 based Signature Algorithms
