I have a client who does business with a food supply company with an
extensive web site (gfs.com). Food orders are placed on the vendor website
using Chrome running on Windows Server 2003 via remote desktop session.
My client has been getting warning messages that, since they are running
XP, their access will be cut off soon as Microsoft has dropped support for
XP. I contacted the vendors sales rep and explained that Microsoft is
continuing support for Server 2003 until 2015 and that by that time my
client will have migrated to Server 2008. She was satisfied that this will
be satisfactory.
When the client got yet another warning message and I learned that the
vendor's support people believe that that RDP browser connections will not
be allowed in the future I decided that I had better try to clear things
up. The support people could not tell me what criteria is used to
determine whether or not to accept a connection. They believe their system
relies on their SSL certificate for that purpose. I contacted the
certificate vendor, Network Solutions, to try to determine the criteria
used to determine whether or not to allow connection to a browser.
The time I spent with Network Solutions support resulted in the conclusion
that the SSL certificate only assures a browser based client that the site
is safe for encrypted data transfers. There is no service available to
verify that the browser wishing to connect is running on an approved
operating system.
I am guessing the people I talked to at the food vendor's support
department don't actually write code and are simply misinformed about how
things work.
Any suggestions on how to resolve this?
Thanks in advance,
Joe
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CABQeDnW5koMGN5kyKEBVyyVOos3YK2Fz8OQ_n5R8zRqR4hBSkw@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
On Wed, Jul 30, 2014 at 9:25 AM, Joe Yoder <joe@wheypower.com> wrote:
> I have a client who does business with a food supply company with an
> extensive web site (gfs.com). Food orders are placed on the vendor website
> using Chrome running on Windows Server 2003 via remote desktop session.
>
> My client has been getting warning messages that, since they are running
> XP, their access will be cut off soon as Microsoft has dropped support for
> XP. I contacted the vendors sales rep and explained that Microsoft is
> continuing support for Server 2003 until 2015 and that by that time my
> client will have migrated to Server 2008. She was satisfied that this will
> be satisfactory.---------------
>
--------------------
You have to ask the question, is the business with this vendor more
valuable that a new server ? Just a guess but did you have a value on
Server operation per year and if you do is that amount that high?
I would skip server 2008 altogether and consider 2012. Sure it is a lot
more secure that what you are running today and it looks a lot different at
times as well.
We just upgraded to 2012 servers both hard iron for data as well as 50 in
virtual virtual. We have all ERP Apache apps running in their own virtual
server, and each app will have a Test as well as a Prod server. All are
in Server 2012.
--
Stephen Russell
Sr. Analyst
Ring Container Technology
Oakland TN
901.246-0159 cell
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CAJidMYJKV2aG4mvCVYA12q6k1KnOnASU-qAdb4GGpv8AomeQgg@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
I would skip MS full stop.
+1 on Server 2012
Dave
-----Original Message-----
From: ProFox [mailto:profox-bounces@leafe.com] On Behalf Of Stephen Russell
Sent: 30 July 2014 15:39
To: ProFox Email List
Subject: Re: [NF] Clarification on web security
On Wed, Jul 30, 2014 at 9:25 AM, Joe Yoder <joe@wheypower.com> wrote:
> I have a client who does business with a food supply company with an
> extensive web site (gfs.com). Food orders are placed on the vendor
> website using Chrome running on Windows Server 2003 via remote desktop session.
>
> My client has been getting warning messages that, since they are
> running XP, their access will be cut off soon as Microsoft has dropped
> support for XP. I contacted the vendors sales rep and explained that
> Microsoft is continuing support for Server 2003 until 2015 and that by
> that time my client will have migrated to Server 2008. She was
> satisfied that this will be satisfactory.---------------
>
--------------------
You have to ask the question, is the business with this vendor more
valuable that a new server ? Just a guess but did you have a value on
Server operation per year and if you do is that amount that high?
I would skip server 2008 altogether and consider 2012. Sure it is a lot more secure that what you are running today and it looks a lot different at times as well.
We just upgraded to 2012 servers both hard iron for data as well as 50 in virtual virtual. We have all ERP Apache apps running in their own virtual
server, and each app will have a Test as well as a Prod server. All are
in Server 2012.
--
Stephen Russell
Sr. Analyst
Ring Container Technology
Oakland TN
901.246-0159 cell
--- StripMime Report -- processed MIME parts --- multipart/alternative
text/plain (text body -- kept)
text/html
---
[excessive quoting removed by server]
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/18725B8CD2D5D247873A2BAF401D4AB22A5497CB@EX2010-A-FPL.FPL.LOCAL
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
On Wed, Jul 30, 2014 at 10:25 AM, Joe Yoder <joe@wheypower.com> wrote:
>
> My client has been getting warning messages that, since they are running
> XP, their access will be cut off soon as Microsoft has dropped support for
> XP. I contacted the vendors sales rep and explained that Microsoft is
> continuing support for Server 2003 until 2015 and that by that time my
> client will have migrated to Server 2008. She was satisfied that this will
> be satisfactory.
>
Windows XP is no longer supported NOW:
http://www.microsoft.com/windows/en-us/xp/end-of-xp-support.aspx
Your client needs to update their workstations to a better operating
system. ALL operating systems are better than Windows XP.
Right now, they are in danger of a "Zero Day" attack that can compromise
their Windows XP machines, and once a foothold in their network is
established, potentially contaminate every machine on that network, and
every network that network connects to.
As for SSL, (https in the browser, sometimes a little padlock) all that
does is ensure that an encrypted connection exists between the two
endpoints of the client application (browser) and the destination (web
application). This simply ensures that anyone who can see that network
stream of data ("a man in the middle") cannot read the data. However, if
the browser endpoint is compromised, all the data going over that
connection could be read, monitored, stolen or altered.
Replace your Windows XP workstations with anything: iPads, X-Boxes,
iPhones, Android phones/tablets, Linux machines, even updated Windows
machines -- and the problem gets kicked down the road, until the next round
of updates.
Microsoft Server 2003 is also on its way out and ought to be replaced, too:
http://support.microsoft.com/lifecycle/search/default.aspx?alpha=windows+server+2003&Filter=FilterNO
Why not Server 2012? Then, you're only two years out of date. Or, again,
any other OS: OSX or Linux.
--
Ted Roche
Ted Roche & Associates, LLC
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CACW6n4vvmyV9UCY2F11hgPNHVvtFvhqrYyfRD4KdG3ZGiEpqmQ@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
>Your client needs to update their workstations to a better operating
>system. ALL operating systems are better than Windows XP.
>
>Right now, they are in danger of a "Zero Day" attack that can compromise
>their Windows XP machines, and once a foothold in their network is
>established, potentially contaminate every machine on that network, and
>every network that network connects to.
With all due respect, FUD.
This claim has been made for over a year. Something like 30% of OSes were
still XP a year or so ago, and supposedly the day after MS stopped
"support" the world was going to come to an end with a massive zero-day
attack. So far, no fire to go with all the smoke.
There was one issue discovered with *IE* on Windows XP, not the OS itself,
and MS issued a patch even though XP is no longer "supported". If that
happens again, I bet they do it again.
Again, the older your OS is, the less likely it is an actual target for
real, not theoretical, malware that is actually in circulation today.
>As for SSL, (https in the browser, sometimes a little padlock) all that
>does is ensure that an encrypted connection exists between the two
>endpoints of the client application (browser) and the destination (web
>application). This simply ensures that anyone who can see that network
>stream of data ("a man in the middle") cannot read the data. However, if
>the browser endpoint is compromised, all the data going over that
>connection could be read, monitored, stolen or altered.
SSL certificates are a form of blackmail. You pay in order to get somebody
to issue an opinion that your encryption is good. That does not mean your
encryption is not good if you don't pay to get the certificate.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/5.2.1.1.1.20140730113504.01efbb30@POP-Server.stny.rr.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
On Wed, Jul 30, 2014 at 11:40 AM, Ken Dibble <krdibble@stny.rr.com> wrote:
>
> Again, the older your OS is, the less likely it is an actual target for
> real, not theoretical, malware that is actually in circulation today.
And, with all due respect in return, we continue to disagree on this point.
WinXP is a marvelous target for bad guys. Little old ladies (and guys,
until recently, my dad among them), have Windows XP machines hooked up to
the internet, often poorly, often out-of-date with updates, hanging off
half-decent internet connections cable and DSL, running 24 hours a day.
These are _perfect_ machines to harvest and take over in
command-and-control botnets to churn out spam and participate in DDOS
attacks. These happen, every day , and botnets of millions of compromised
machines (feel free to search the web for this info yourself) are running
everyday.
And offices are filled with clueless clerks who love to play games or visit
sketch sites on their breaks and lots of small- and medium-sized businesses
host botnets, too.
While the bad guys have control of your machine, it's pretty trivial to
pick off your credit card info, tax return and compromising selfies, too.
This is happening today, every day. Even if you refuse to believe it.
> SSL certificates are a form of blackmail. You pay in order to get somebody
> to issue an opinion that your encryption is good. That does not mean your
> encryption is not good if you don't pay to get the certificate.
>
You can always self-sign certificates, and establish your own web of trust.
We do for many of our applications.
--
Ted Roche
Ted Roche & Associates, LLC
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CACW6n4uzOTAHDoCYZN9YAkCn8jogQHVriNfqipnJ5h0XGNmKUw@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
>This is happening today, every day. Even if you refuse to believe it.
All of which is equally applicable to every other Windows OS, and is a
greater threat because there are more of them in use today, in toto, than
there are of XP. People don't patch Vista or Win 7 or Win 8 either. They
don't patch IE on those OSes, and idiots keep writing new web-based
software that won't work on more secure browsers. They don't keep their
anti-malware software up to date on those new OSes either. Nothing has
magically changed about this going from Win XP to a newer OS.
MS OS security is not "improving" as a whole; they just continue to fix
what they can identify as broken as a result of demo or real attacks. Every
day somebody figures out a new way to attack a new OS, and then that has to
be fixed. The newer the OS, the more people are trying to attack it.
Relatively fewer people are figuring out new attacks for old OSes. How many
people do you think are working on new ways to attack Windows 2000 today?
How many people will be working on new ways to attack Windows XP in 2
years, as compared to today?
Anything can be hacked; any security can be broken (just ask the NSA);
nothing is safe. That is true today, and it will be true five, ten, and
twenty years from now, for Windows and any other OS. The fact that some OS
designs are harder to crack than others is irrelevant. If the motivation to
crack it is high enough, it will be cracked. There is no magic design "fix"
that entirely removes the danger. It can't be done.
Today the bad guys aren't script kiddies goofing around to impress their
friends. They are organized criminals, rogue governments, and terrorist
organizations. They are principally looking to steal money, and
secondarily, to develop options to damage or destroy critical IT
infrastructure. Malware development costs them money, and they play the
percentages. If a "hack" doesn't offer those opportunities in a big way,
they don't spend time on it.
Older OSes are safer from current malware development than newer OSes,
because the motivation to break newer OSes is much greater, because it is
more remunerative in those two ways, than the motivation to attack older
OSes. This isn't rocket science; it's common sense.
And the extent to which people do not keep their OS, browser, and
anti-malware software up to date does not vary between OSes. So this source
of problems is constant; it is not greater for XP than for 8.1. And there
is more Vista, 7, and 8.1 combined running today than XP. Again, common sense.
Last time we had this discussion, I cited overwhelming evidence from the
web that Android phones are the biggest target for current malware. I don't
remember what the percentage was then, but as of January of this year, it
was 99%:
http://www.v3.co.uk/v3-uk/news/2323418/android-and-java-top-security-targets-for-malware-and-hacks
Java applications are also strong targets according to this article, but
that's not OS-dependent.
Ken Dibble
www.stic-cil.org
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/5.2.1.1.1.20140730120127.01f06498@POP-Server.stny.rr.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
I should have been more specific about my question. I am not challenging
the assumption that one needs to eliminate XP. My client is a small
non-profit who relies on donated machines when they are available. The
plan at this point is to use Terminal Services Sessions with Wyse thin
clients and do all processing on the server. This allows me to maintain
one OS and permits swapping Wyse terminals between users at will. The
point at which this scheme breaks down is when a vendor insists that they
will only accept connections from a browser runnng on Windows 7 or Windows
8. It is my impression that Windows 7 is a subset of Server 2008 and
Windows 8 is a subset of Server 2012. I suspect that web programmers need
to keep this in mind when they write code to accept or reject a connection
based on browser and OS combination.
What I set out to do was find who or what controls what browser and
operating system configurations are accepted for connection by the GFS.com
site. The GFS technical people seem to have an inflated understanding of
the role of the SSL certificate. Ultimately I need to help them correct
that understanding. I suspect that inspection of their site code by
someone who knows web programming would reveal what their criteria is. I
have done very little with web programming. Can someone point me to a good
starting point for this issue?
Thanks,
Joe
On Wed, Jul 30, 2014 at 12:23 PM, Ken Dibble <krdibble@stny.rr.com> wrote:
>
> This is happening today, every day. Even if you refuse to believe it.
>>
>
> All of which is equally applicable to every other Windows OS, and is a
> greater threat because there are more of them in use today, in toto, than
> there are of XP. People don't patch Vista or Win 7 or Win 8 either. They
> don't patch IE on those OSes, and idiots keep writing new web-based
> software that won't work on more secure browsers. They don't keep their
> anti-malware software up to date on those new OSes either. Nothing has
> magically changed about this going from Win XP to a newer OS.
>
> MS OS security is not "improving" as a whole; they just continue to fix
> what they can identify as broken as a result of demo or real attacks. Every
> day somebody figures out a new way to attack a new OS, and then that has to
> be fixed. The newer the OS, the more people are trying to attack it.
> Relatively fewer people are figuring out new attacks for old OSes. How many
> people do you think are working on new ways to attack Windows 2000 today?
> How many people will be working on new ways to attack Windows XP in 2
> years, as compared to today?
>
> Anything can be hacked; any security can be broken (just ask the NSA);
> nothing is safe. That is true today, and it will be true five, ten, and
> twenty years from now, for Windows and any other OS. The fact that some OS
> designs are harder to crack than others is irrelevant. If the motivation to
> crack it is high enough, it will be cracked. There is no magic design "fix"
> that entirely removes the danger. It can't be done.
>
> Today the bad guys aren't script kiddies goofing around to impress their
> friends. They are organized criminals, rogue governments, and terrorist
> organizations. They are principally looking to steal money, and
> secondarily, to develop options to damage or destroy critical IT
> infrastructure. Malware development costs them money, and they play the
> percentages. If a "hack" doesn't offer those opportunities in a big way,
> they don't spend time on it.
>
> Older OSes are safer from current malware development than newer OSes,
> because the motivation to break newer OSes is much greater, because it is
> more remunerative in those two ways, than the motivation to attack older
> OSes. This isn't rocket science; it's common sense.
>
> And the extent to which people do not keep their OS, browser, and
> anti-malware software up to date does not vary between OSes. So this source
> of problems is constant; it is not greater for XP than for 8.1. And there
> is more Vista, 7, and 8.1 combined running today than XP. Again, common
> sense.
>
> Last time we had this discussion, I cited overwhelming evidence from the
> web that Android phones are the biggest target for current malware. I don't
> remember what the percentage was then, but as of January of this year, it
> was 99%:
>
> http://www.v3.co.uk/v3-uk/news/2323418/android-and-java-
> top-security-targets-for-malware-and-hacks
>
> Java applications are also strong targets according to this article, but
> that's not OS-dependent.
>
>
> Ken Dibble
> www.stic-cil.org
>
[excessive quoting removed by server]
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CABQeDnWnh7c6Ty6wpBJ0Uz3vKveE7RuWXfTe-zjKzR=kaqmJGA@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.
Well, Joe, that's a totally different question.
The way a web application determines information about which browser is
making a request is querying something called the "user agent." The user
agent setting for a browser can easily be changed using a plugin. A quick
web search should get you up-to-date info on this.
Good luck!
On Wed, Jul 30, 2014 at 2:59 PM, Joe Yoder <joe@wheypower.com> wrote:
> have done very little with web programming. Can someone point me to a good
> starting point for this issue?
>
>
--
Ted Roche
Ted Roche & Associates, LLC
--- StripMime Report -- processed MIME parts ---
multipart/alternative
text/plain (text body -- kept)
text/html
---
_______________________________________________
Post Messages to: ProFox@leafe.com
Subscription Maintenance: http://mail.leafe.com/mailman/listinfo/profox
OT-free version of this list: http://mail.leafe.com/mailman/listinfo/profoxtech
Searchable Archive: http://leafe.com/archives/search/profox
This message: http://leafe.com/archives/byMID/profox/CACW6n4si3YWiPYn4f5dPO-dZGN9EYWHWPuZzcpkkydhDdnEouQ@mail.gmail.com
** All postings, unless explicitly stated otherwise, are the opinions of the author, and do not constitute legal or medical advice. This statement is added to the messages for those lawyers who are too stupid to see the obvious.