eBay

►The link is the "read more" at the end of the red banner. 

Yep. That's how I navigated from USPS home page with red alert banner and arrived at the "fail" page shown in the OP image (for every browser I tried on XP and on my Windows 10 phone (including Edge on the phone).

That seem to be one of the major points I'm trying to make here that everyone seems to be missing. It may not be just me and my dinosaur XP. My less than 2 year old Windows 10 (forced Microsoft Win 10 updates) phone failed too.

►presume the read more will give more info if the browser doesn't work, but can't test because it does.

Yes, it will be the same page, but the div element you see with "Good News" will be hidden if it gives the browser a thumbs down, and the doom and gloom dive element in my OP shows instead.

Once again, yes Win XP is old, but IT WORKS EVERYWHERE ELSE ON THE INTERNETS! USPS came out of the blue with this thing (with no warning that I can find other than the 2 weeks left before doomsday.

►Netscape hasn't died.  It was rechristened Mozilla Suite and then SeaMonkey.

So does your Seamonkey pass or fail the test?

►that the only inaccessible features will be for secure transactions

That's what I'm speculating too, but there iz ZERO information on this anywhere I can find. No discussion. No notices, nothing.

►If they want to block XP boxen from doing secure transactions, fine

Why does every other website on the internet, including Bank of America, not care then? What does USPS think they are doing? A public service (of sorts) severely restricting lowest-common-denominator access when banks don't see fit to do so. And without warning. I don't get it.

And as I tried to convey, this isn't just about Windows XP. It may be about any browser on any OS that isn't newer than about a year old. My HP Touchpad is definitely out, and Android Tablet with Gingerbread probably so (just tossing out there as an example of old hardware). My less than 2 year old Windows 10 phone is dead for this purpose and there is no fix for that.

This just doesn't feel right between the apparent lack of notification about the change(this is the type of thing that should have had a year of warning for enterprise), the lack of any chatter about it, and the draconian nature of the browser requirements compared to any other website I'm aware of (including banks).

►I clicked and thank goodness mine is up to date.   I have WIN 10..

Good you passed. What browser? Edge I presume?

(and I dislike Win 10 and Microsoft's OS as a service/forced updates/"We will tell you what you want" attitude intensely, and will never use it even if it means going to Linus and living in a figurative internet cave 🙂

►My OS is Windows 10 Home (Version 1709  OS Build 16299.371).

Yeah, looks like anyone on Win 10 is safe, just maybe not all browser choices.

►I tried the USPS test on 4 different browsers

The Chrome, Firefox, and IE results align with the USPS info in the OP.

The Edge failure is concerning. Edge on my phone failed. And notice how the USPS info has no mention of WHAT Edge version(s) are ok?

►You can upgrade to windows 7

If I was going to upgrade, Win 7 would be the only choice (Hated 8, will not use 10 ever, and maybe not even 7 since it's reported that Microsoft retroactively applied telemetry "phoning-home" to Win 7 systems through Windows update - just not to the degree of Win 10)

But I am not upgrading as there is far too much legacy and customized stuff on this machine to wipe it out with a fresh start, and other than this there are only a couple of ignorable issues using XP (gaming/DirectX and video codec type issues that require newer OS's). The machine and OS work fine and do what I need them to (except for this glaring exception)

This machine is running some stuff from the 80's and is Win XP overlayed on top of Win 2000 with 20 years of registry tweaks, hacked executables, etc.  It would take me 5 years to get it beaten into shape if I had to start over.

2.8 ghz Quadcore cpu can probably handle it fine (but there's the Specter/Meltdown CPU issues to consider - those major vulnerabilities are not going  to get microcode updates for this 10 year old cpu or anything much older than 7-8? years for that matter.

https://newsroom.intel.com/wp-content/uploads/sites/11/2018/04/microcode-update-guidance.pdf

Try spoofing the useragent and see what you get.

general.useragent.override;    Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:59.0) Gecko/20100101 Firefox/59.0

►Try spoofing the useragent and see what you get

Good catch. Never occurred to me to try that - assumed they would perform at least some in depth SSL and Cipher Suite sniffing, not just a user-agent check, and UA spoofing has stopped working much the last few years (websites doing JavaScript based browser capability and US sniffing instead)

Passed in  Firefox 31 spoofed as FF59

 Failed   in  Firefox 3.6.24 spoofed as FF59

 Failed   in  Firefox 2.0.20 spoofed as FF59

I now suspect they are checking user agent, but also maybe TLS capabilities (that part makes snse because this whole exercise would be about using browsers with TLS 1.1 min or TLS 1.2 min)

Firefox 31 does TLS up to 1.2. Firefox 3.6.24 and 2.0.20 only do TLS 1.0 which is consistent with my results.

Not sure what it means though. Won't know if spoofing works until after 4/30 because unknown whether they are targeting a shift to TLS 1.1 (as Lithium and many other sites have done in the last 6 months) or going whole hog and jumping to TLS 1.2 (which would be bold)

The reason that's potentially a problem is that although the spoofed browser passed this simple test based on user-agent and TLS capability level, that doesn't mean that it will be able to provide the correct ciphers in TLS negotiations when push comes to shove in May. I don't think that is going to be the case, but so far I'm not impressed by their code fu, and have no idea what they are planning. The fact that lesser version browsers pass with spoofed user-agents tells me they are sloppy.

If all this meant that they are making a simple shift from allowing TLS 1.0 fallback (really old browsers like FF2 and 3 and IEs less than 11 etc), to not allowing it and requiring a minimum TLS 1.1 capable SSL browser, they sure screwed it up by listing only latest TLS 1.2 (and in some cases TLS 1.3) capable browsers, instead of just saying that FF30 (first FF that did TLS 1.2) etc.

Actually, I have on more card to play. FF 22-29 were first to do 1.1 but not 1.2, and I have a couple of them installed. If they fail, then that's an indicator that USPS is aiming for TLS1.2 minimum.....

Firefox 25 PASSED when spoofed as FF59. and it is a TLS1.1 only browser.

So it looks like they are making a reasonable shift to TLS 1.1 minimum required, but totally screwed it up, setting the test up to reject anything but the newest couple of each brand of browser by user-agent, listing only the newest couple as acceptable, and shutting out dozens and dozens of other potentially usable TLS 1.1 capable browsers (FF23-27 if turned on. FF28-57,  Chrome 22-62, Chrome 64, IE 7-10 if TLS is turned on, and possible others)*

*Depending on how they configure things, some of the above candidates could be off the table because they might not have (all) the ciphers USPS chooses.

Sounds like they tested maybe the 8 newest browsers, locked all the others out via user-agent, and called it a day.

Still doesn't fully explain why Windows 10 Edge browser failed on my phone (and there is no way to fix/spoof out of that one) or why justforposting's Edge on Win 10 Home failed, unless they set that user-agent requirement to only the single newest version of desktop and mobile (for no obvious reason other than laziness)

This is a mess, and I guess it is just going to be a trial and error thing when finally implemented in May. I'll be trying to user-agent spoof FF31 and FF52 into working, and testing every possible browser available on my phone to try to find something that works.

I predict howls of despair here in the forums (not just from me) May 1 unless it turns out that the test is totally screwed up, and the actual rollout will only obsolete a few of the oldest TLS1.0 browsers like Firefox 2, Firefox3, and IE7.

---

@berserkerplanet wrote:

 

Not sure what it means though. Won't know if spoofing works until after 4/30 .

 

---

Dunno neither.  I don't do much there other than some tracking and Informed Delivery.  No purchasing of anything, so it may not affect me at all.

SM 2.46 spoofed as FF56 failed, but passed spoofed as FF59.  They've released SM 2.49 so I may try that later.