eBay

berserkerplanet · ‎04-13-2018

Ran into this today while checking some tracking at USPS.com

For most of you it will be a non-issue, but I'm going to have some big troubles I think. In their blind quest for "Internets Security" they are no longer going to support "outdated" browsers.

This isn't about security for the website infrastructure - it's about security on the client side and transport, and it should be my choice to take my chances, but they had to go whole nanny-state.

Windows XP users can't use any of the Firefox, Chrome, or IE versions, and neither of the listed Safari versions run on Windows at all. Opera browser isn't even an option on the list. Probable that Opera Mini on my Windows 10 phone won't work, and unknown if Edge on the phone will.

From what I see there the rest of you are going to be forced to use latest and greatest versions.

It looks like they might be going to a TLS 1.2 minimum protocol based on the browsers listed, but many older versions of those browsers also support 1.2 (but maybe not all the cipher suites), so we shall see how limited it is in a few weeks.

Also remains to be seen what "some features" means. It would be absolute idiocy to bar all least common denominator browsers from checking tracking numbers, looking up simple info, getting a rate quote, or downloading notice123.pdf and other USPS document, but makes a bit more sense to apply more stringent security when using a credit card to purchase stamps or shipping labels (but should once again be my choice - it's my credit card that might get compromised by pretty much nation state level hackers sniffing and brute force decrypting my SSL traffic)

https://www.usps.com/browser-check/

chrysylys · ‎04-14-2018

@berserkerplanet wrote:

Interesting about your spoofing, and will be interesting to see if SM works May first masquerading as FF. I may have to play with it a bit more and see if the site buys FF52 spoofed as Safari, Edge, and IE.

As I recall, the only reason I did it was because Yahoo messed up their email. I might be interested in seeing how USPS works with unspoofed SM, but I'm afraid it will mess other stuff up. And I'm not sure I remember how to unspoof. I'll wait until doomsday to try anything more though.

Forget keeping up with the Joneses. Be the Finklegrubers!
OK kids, time to get the Dodge loaded up again. I hear 'Poppy's By the Tree' calling. This trip might be a long one too.

berserkerplanet · ‎04-14-2018

Yeah, in spite of what I said about spoofing not working as much as it used to, I do have a bunch in place, and yahoo is one of them.

I use 2 addons in Firefox. One is the original User Agent Switcher that hangs out on the toolbar and changes the user-agent for all sites in the browser (I think it effectively just substitutes values into the general.useragent.override internal setting). Mostly use it for experimenting. The other one is UAControl that hangs out in the status bar area and allows setting up "per site" spoofed user-agents. Very handy. Set them and forget. All other sites observe any UAControl override, or if none, whatever the default global user-agent is or what is temporarily overridden by User Agent Switcher. (I had to tweak the max versions in the install.rdf files in the addon xpi's to get them installed in FF31.)

Without addons, I think to unspoof you have to delete the value form the general.useragent.override setting. Which is why User Agent Switchers is so nice - you set them up once and just choose with 2 mouse clicks.

berserkerplanet · ‎04-30-2018

Update 4/30/18

USPS did the deed, and it was as I suspected in one of my speculations.

The "test" they presented (the page from the link in the red alert bar) was an amateur and broken POC that I could have coded (not a web programmer).

From my testing, it appears that they upgraded all USPS.com website connections to require a minimum TLS1.1 My limited testing shows that TLS 1.1 is the minimum to visit the USPS.com home page and most other "root" usps.com pages (informed delivery, some help, intercepts, mail holds, etc), but a TLS1.2 minimum capable browser required to actually do anything that requires visiting most of the USPS subdomains like tools.usps.com, postcalc.usps.com, pe.usps.com etc (tracking, info, finding a location, labels, obtaining documents, etc)

All that was logged in or not, so the change wasn't tied to financial or credentials issues (from my limited testing so far)

TLS1.2 minimum capability isn't a deal breaker (just an annoyance for me as my daily driver Firefox 3.6.24 can no longer connect to USPS.com at all).

It turns out my Window 10 phone both Opera Mini or Edge (the older version that's the last supported on the Win10 version on my phone) work fine with USPS.com in spite of failing their broken browser check test.

Firefox 25 and above support TLS 1.2 (released Oct 2013) so not a huge deal for most as I indicated. Check here (the big colored chart in the middle) to determine if your browser does TLS 1.2:

https://en.wikipedia.org/wiki/Transport_Layer_Security

And again, their browser test sucks - it indicates pretty much nothing but the latest two versions of most browser will be acceptable (and reality shows that is not the case) The UA spoofing that chrysylys and I played with previously to fool the test won't fix the actual issue - a spoofed UA can't fix not being able to negotiate a proper TLS protocol handshake.

TLDNR:

The USPS change starting today 4/30/18 appears to have been to require a TLS 1.1 min capable browser to visit the USPS.com homepage and perfom some very basic functions, and a TLS 1.2 minimum browser to actually do most anything at USPS.com (tracking, labels, documents...)

feefoo72 · ‎04-30-2018

If you are using an old firefox version, would it accept the "User-Agent Switcher" add on?

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher-revived/

https://mybrowseraddon.com/useragent-switcher.html#faq

If so, it will enable you to "switch" to the USPS compatible IE and Edge as well as other operating systems on pc and mobile.

berserkerplanet · ‎05-01-2018

I've been the original using user agent switcher since it's beginnings - indispensible tool(post 32)

As I mentioned in latest post 33, User-agent spoofing fools the stupid, simplistic, fail of a browser test (for TLS 1.1 min capable browsers), but can't do anything to give a browser without TLS 1.1 and/or TLS 1.2 and the correct ciphers built in the capabilty to negotiate a secure session when connecting to the remote server.

The actual session negotiation doesn't care about browser version - only browser TLS capability - so fooling the browser test now is pointless.

Play with setting a newer Firefox about:config setting security.tls.version.max to 1 (TLS1.0) and then 2 (TLS1.1) and visit usps.com and tools.usps.com. TLS1.1 works with latter but not the former.

berserkerplanet · ‎05-01-2018

Last sentence in above should read: "TLS1.1 works with the former but not the latter"

ie: TLS1.1 only works for usps root domain, and a couple of subdomains, but TLS1.2 is required for tool.usps.com and most anything else useful.

luckythewinner · ‎05-01-2018

From what I see there the rest of you are going to be forced to use latest and greatest versions.

Most of us already are. And most of the people who aren't will have no problem upgrading.

It should be my choice to take my chances

I would agree with that, but only when you are talking about tech-savvy usrs who understand the risks. But I am guessing the number of tech-savvy people with noncompliant browsers who need access to the USPS site is miniscule.

a_c_green · ‎05-03-2018

@luckythewinner wrote:
It should be my choice to take my chances

I would agree with that, but only when you are talking about tech-savvy usrs who understand the risks. But I am guessing the number of tech-savvy people with noncompliant browsers who need access to the USPS site is miniscule.

Well, there's me... I'm wondering if anyone has seen anything different on the usps.com site since that May 1 deadline...?

I have this old XP box in the home office for exclusively eBay work, mainly shipping, using Chrome v49.0.2623..112 m, which Google informs me will no longer be updated due to the XP OS, but things seem to be chugging along as usual. I can track any packages I want to look up (either inbound or outbound, as I have a MyUSPS account, or whatever they're calling it these days), and I logged into my secure usps.com account just now (as if I was ordering shipping supplies, etc.), the login went through, the page greeted me by name, and so on. So far, things seem to be unchanged. (I haven't actually tried to buy anything, such as non-PM shipping supplies, or a Click'n'Ship label, so maybe I'll hit the wall at that point, but I've a Windoze10 laptop in reserve in case of difficulty.)

I know it won't last forever, but I'm glad that I didn't need to go replacing equipment right away.

berserkerplanet · ‎05-04-2018

You saw no changes because it turns out thst USPS browser test (the only source of info at time of my OP) was (and still is) totally crying wolf and failing all XP browsers.

It turns out that USPS, just abandoned TLS1.0 connectivity totally, requiring TLS1.1 for the base domain (and a couple of subdomains), and TLS1.2 for tools.usps.com and most other subdomains we find useful.

Authenticated sessions don't seem to be a factor from my limited testing (testing 1which domains for 1.1 vs 1.2 is a bit of a pain that I'm not going waste any more time on since no one really cares, only Firefox 20* versions had TLS 1.1 alone (newer versions were 1.2), I don't/won't run Chrome, and don't care about IE.

farwestgeorge · ‎05-05-2018

I haven't changed my XP/Firefox 52 setup because of the poor choices & privacy issues in the newer Windows operating systems. I could have lived with version 8.1, but it was scheduled to a 4 year 3 month shelf life, a premature victim of planned obsolescence.

Since other businesses I trade with are not blocking these older systems, I tend to think that the move at USPS was influenced by interests other than mere IT security. I'll be exploring the many other postage vendors; goodbye Click n Ship!

I'll be using Fedex more; I've kept an account with them for 15 years, and have had excellent service.

I usually purchase directly from them instead of through eBay. I hope to see eBay doing a better job of coordinating services with them: I see that this has not gone very well to date.

a_c_green · ‎05-05-2018

...and in a new bit of irony this morning, my 3-year-old Internet/TV/landline gateway box died this morning and knocked everything offline. Just got back from buying postage at the P.O. and pecking in the tracking number by hand on this smartphone. Meanwhile the XP box humming away in the corner just sits and smirks at me...

berserkerplanet · ‎05-05-2018

►goodbye Click n Ship!

You shouldn't have any problems using anything at USPS.com with FF52. (you must not have read this whole thread)

The USPS browser test will fail FF52, but it works fine with the changes to the website. FF52 supports up to TLS1.3 (sort of) which is above and beyond the new requirements at USPS.com

The TLDNR here is that USPS threw up that banner with that browser test that failed everything I have that I could throw at it, with no other information anywhere about what the changes were going to be, and then made changes to the website that were no where near as dire the test indicated (essentially, the USPS browser test screams total doom big time and is a smoking pile of lies)

berserkerplanet · ‎05-05-2018

Hardware failures suck. 12 year old Linksys WRT54GL router running HyperWRT Thibor firmware smoked here a couple of weeks ago.

I fortunately had a Linksys WRT160N already set up and flashed with DDWRT firmware (from an aborted setup for my cousin) sitting around (that I had pulled out a couple days before to offload on eBay 🙂

Wanted to use the 160N because it interfaces to WallWatcher router firewall monitor software, but had another 3 or 4 routers in the box 'o goodies that could have been used in a pinch (and a box of routers and access points from a buddy waiting to be eBayed) It's good to have hardware laying around.

Trying to decide whether to pay a minor premium for another WRT54GL - 802.11G is good enough for me, that router is solid, flashable with Hyperwrt, DDWRT, and other firmware, and interfaces perfectly to WallWatcher, but they are getting rarer and prices are higher than for the newer 802.11N 160N model. And maybe something even newer might be in order (WallWwatcher is no longer supported, but I still want to use it, so my choices of compatible hardware might be limited) Lots of waffling and shopping, but need to grab a backup before I forget about it.....

Those XP boxes are smug #&$&^%^$.

a_c_green · ‎05-05-2018

@berserkerplanet wrote:
Hardware failures suck. 12 year old Linksys WRT54GL router running HyperWRT Thibor firmware smoked here a couple of weeks ago.

I know, and so you'll get a giggle out of what the problem actually turned out to be.

The dying component was a big Arris gateway box that sits in my office and feeds the rest of the house with everything: TV, Internet (both wireless and ethernet), landline phone, the works. The ethernet goes to an 8-port switch; the TV service includes a little Wireless Access Point transmitter. All three components sit on the same shelf in a little festive sea of blinking lights.

So this morning we awoke to no service, and the Arris box refused to reboot, or do anything else. My first suspicion was the stupid cheap power supply they ship with these things, and sure enough, it was rated for 12 Volts but was actually putting out a wavering 5-6, and was warm to the touch as well.

I thought I'd swap in a different, tested-good power supply of the same rating to see if that would get things going again, and the 12-volt, 1.0-amp supply on the 8-port switch was a match. The Arris was now at least trying to reboot, but would fail and fall back every few minutes. Still, I knew I was getting somewhere.

So then I thought I'd try the power supply off the WAP transmitter. Hmmm... why does such a chintzy little transmitter need such a huge power supply? It's rated for 3.0 amps... and it's got an Arris label on it...? Ah...

Yes, the power supplies got mixed up during installation three years ago. All this time, a little 1.0-amp wall wart had been managing to drive the whole network, basically, and the 3.0-amp supply intended for the gateway had been loafing along doing next to nothing on the WAP transmitter.

I plugged the gateway into its correct 3.0-amp power supply this time, and it fired right up. After cooling down a bit, the little supply that was intended for the WAP transmitter got plugged in to that box, and that is acting better again as well. We're all good now.

It's funny how an installation screw-up three years ago (at least I think I didn't have to pay for it) took this long to surface, but fortunately I didn't have to spend money on today's crisis, or even call their Tech Support. Life goes on...

berserkerplanet · ‎05-05-2018

Amazing that that incorrect power supply (1A) was able to supply double? triple rated current for that long without melting or letting all the magic smoke out, and that it still works with the WAP xmitter after dropping to 5v output.

At least you don't have to replace the pricey gateway.

I keep a big box of wall warts around - old orphaned ones, hand me downs, pick them up at Goodwill for a buck a piece if I come across a 12V, 14V, 18V high output one, as backups for just this sort of occurrence and for testing. Was the first thing I tried when the Linksys failed.