Leaderboard

Also, it seems that a couple days ago a new version of Otter browser was released, a first stable one even. While the installer only works on W7 or above, they also have released a .zip version that's meant for XP and newer, so looks like we have an alternative to New Moon and Basilisk that will also be getting new updates in the future.

Original January 4, 2019 post title was "Update IE8 to TLS1.2 for (nearly) Last Skype 7.36.0.150 on Windows XP". Update title changed May 1, 2019. Readers wanting Skype-specific info should page or find down to the ORIGINAL INTRODUCTION. UPDATE INTRODUCTION: This compiled procedure, Instructions To Add TLS1.2 To Windows XP OS & IE8, turns out to be useful for non-Skype purposes, and may now be obsolete for the intended purpose of running Windows XP Skype 7.36.0.150 (see posts below). For convenience of other readers, I've reorganized the original post so that the procedure steps now start near the top. I've also edited OS registry variations in steps 9A and 9B, made a change in step 11, and added a 12th procedure step, each helpfully noted by posters below. ----------------------------------------------------------------- INSTRUCTIONS TO ADD TLS1.2 TO WINDOWS XP OS & IE8 (Compiled from MSFN source posts credited) ----------------------------------------------------------------- 1) If not already updated, download and install Microsoft's updated Windows Installer 4.5 (KB942288-v3) from https://download.microsoft.com/download/2/6/1/261fca42-22c0-4f91-9451-0e0f2e08356d/WindowsXP-KB942288-v3-x86.exe 2) Set a System Restore point marked, say, "Spoof POSReady ID registry edit" 3) Put the following POSReady spoof text (omit the hyphen lines) in POSReady.txt, rename to POSReady.reg, right-click Merge, Yes. ---------- Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady] "Installed"=dword:00000001 [<-- BLANK LINE] [<-- BLANK LINE] ---------- 4) Navigate to: https://www.catalog.update.microsoft.com/search.aspx?q=kb4019276 5) Find down to POSReady, Windows XP Embedded versions of KB4019276 Click Download button for that version. Click English in the opening language window (or other language). 6) Navigate to: https://www.catalog.update.microsoft.com/search.aspx?q=KB4230450 7) Find down to POSReady, Windows XP Embedded versions of KB4230450: Click Download button for that version. Click English in the opening language window (or other language). 8) For each KB file: click, accept install, reboot. (Both create restore points just in case.) 9) Edit the following Windows XP registry entries in 9A and 9B to read as shown. If you aren't sure how, look up Regedit 5 editor instructions. For convenient automatic registry edit-merge, these lines may be pasted into Notepad text files, renamed .reg ,then just click the file after closing it (expect no response). (But to be careful, I edited them manually with Regedit 5.) 9A) After navigating the chain of registry keys, click the key TLS1.1, in the right panel, right-click "OSVersion", click Modify, enter the Value data already shown (not sure why), click OK. (I had to change "3.6.1.0.0" to "3.5.1.0.0" shown in obvious German in the source.) (EDIT: Other posters report below that if this key is absent, this step may be safely skipped.) ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.1] "OSVersion"="3.5.1.0.0" ---------- 9B) Next click the key TLS1.2, in the right panel, right-click "OSVersion", click Modify, enter the Value data shown above, click OK. (Likewise I had to change "3.6.1.0.0" to "3.5.1.0.0") (EDIT: Likewise, if missing, skip this step.) ---------- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\TLS1.2] "OSVersion"="3.5.1.0.0" ---------- 10) Click Start, hover Control Panel, click Internet Options, Advanced tab, pull the thumb bar all the way down. You should see new checkbox options for "Use TLS 1.1", "Use TLS 1.2". (KB4230450 will install these checkboxes, but they won't work without KB4019276.) 11) Check "Use TLS 1.2". Leave unchecked "Use TLS 1.1" (already obsoleted by TLS 1.2; and, TLS 1.3 was approved in 2018). (EDIT:) Leave checked "Use TLS 1.0". Click OK. The TLS 1.0's AES component is not insecure. TLS 1.0 may best remain checked for legacy websites needing AES or 3DES. (See explainers in posts below.) 12) (EDIT:) The following registry edits disable TLS 1.0's insecure cipher suites: DES, RC2, RC4, plus the insecure MD5 cipher hash. 3DES may be disabled optionally, but legacy websites without AES may need 3DES (Triple DES). TLS 1.0's secure cipher suite AES remains enabled, unchanged (no edit shown). Edit the following registry entries to read as shown: ---------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128] "Enabled"=dword:00000000 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5] "Enabled"=dword:00000000 ---------- You may need Triple DES (3DES) at websites which don't (yet) support AES. Here is the optional edit (not yet recommended) to disable 3DES (0's mean Not "Enabled", equals Disabled): ---------- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168] "Enabled"=dword:00000000 ---------- The above registry edits (manual for transparency) are included in a larger set of one-click automatic edits in a download .reg file posted below. Pardon any source text compiling errors. If you have problems, try reading the sources (long). Source posts credited: ● https://msfn.org/board/topic/171814-posready-2009-updates-ported-to-windows-xp-sp3-enu/ POSReady 2009 updates ported to Windows XP SP3 ENU By glnz, March 19, 2013 in Windows XP ● https://msfn.org/board/topic/177500-upgrading-ie8-to-tls-12/ Upgrading IE8 to TLS 1.2 By Thomas S., June 9, 2018 in Windows XP ● https://msfn.org/board/topic/178087-update-ie8-to-tls12-for-nearly-last-skype-7360150-on-windows-xp/ Update IE8 to TLS1.2 for (nearly) Last Skype 7.36.0.150 on Windows XP By Mathwiz, January 4, 2019 in Windows XP ---------- ORIGINAL INTRODUCTION: I'm posting a step-by-step fix to add TLS1.2 to IE8, so that Skype 7.36.0.150 (for a few months did) run on Windows XP-SP3. (While 7.41.x.x may be actual "last" for WinXP, it may or not nag you to "update", requiring a separate fix or version downgrade. My version 7.36 didn't get the nag, and 7.40 was also reported to lack the nag when it mattered before April 12.) I've compiled pieces of the fix puzzle I found elsewhere on MSFN, because the complete fix isn't obvious to WinXP Skypers searching from elsewhere on the web. The fix isn't that difficult, but the usual warnings that novices should back up the registry before editing it, do apply. The download KB file installs, and each set their own restore points. I hope just setting a Restore point before starting the edit will be adequate. I haven't used my desktop PC WinXP-SP3 Skype (mostly chat) for months while the power supply was down. Yesterday I fixed it. To my surprise, Skype errored with "Sorry, we couldn't connect to Skype. Please check your Internet connection and try again." But the internet was ok. Many Skypers aren't techies, and most of the posted complaints about "Sorry, we couldn't connect to Skype", don't have a fix other than get a new OS like Win7, or use web Skype. For good reasons, we don't want to give up WinXP, at least as a backup to Win7 (or even Win8.1 for my keytablet). I've thoroughly tested Win10, but I'm not interested in that control-freak bugfest. One elsewhere-posted answer with no fix, helpfully explained that Skype had switched to using the more secure https encryption protocol TLS1.2. Skype for WinXP uses the SSL/TLS protocols built into Internet Explorer 8, which is the last Internet Explorer version for WinXP. IE8 normally has a maximum version of TLS1.0. Skype servers apparently turned off insecure TLS 1.0 sometime after I had to quit using this Skype last year (2018). So the fix is to add TLS1.2 to IE8, and it did work for me. At MSFN I found the bitter-end holdouts on WinXP, same website where I found the Win98 bitter-enders. (Btw, one poster at MSFN said the famous Windows OS bitter-ender AXCEL216 aka MDGx aka George, is still alive!). One or more MSFN gurus noticed that Microsoft is still updating Windows XP embedded OS for computerized cash registers (etc.), a WinXP variant known as "POSReady" (POS= Point Of Sale). They figured out how to spoof WinXP-SP3's identity, so that it will pose as, and accept POSReady updates, including those which to add TLS1.2 to IE8. (If still relevant to Skype readers, do the procedure above. Even if another post-April 12 Skype for XP fix is found, this procedure will likely be needed as well.) When I did this procedure (in January of 2019), the "we couldn't connect to Skype" error went away. However, a new sub-login dialog appeared that only allows a Microsoft school or business account. This dialog went away after I clicked on an existing chat account. (See new Skype 7 login obsolescence described in posts below, first reported elsewhere as of about April 12, 2019.) I hope this helps. Al

Many thanks indeed for letting us know ; I decided to give Otter Browser v1.0.01 a shot Main site: https://otter-browser.org/ GitHub source repo (+ issue tracker): https://github.com/OtterBrowser/otter-browser SF Windows binaries repo: https://sourceforge.net/projects/otter-browser/files/ At this time, no installer (setup) is available for latest (stable) version; one exists for previous RC, "otter-browser-win32-0.9.99.3-rc12-setup.exe", though... It appears that the binaries (setup.exe/.7z packages) meant for Win7+ have been compiled with Qt 5.10.1 (which requires Win7+), while the "*.xp.zip" packages have been compiled with the older Qt 5.6.2 framework, still compatible with both XP+Vista... From my brief encounter with otter-browser-win32-1.0.01-xp.zip, I can safely say this is far from being an alternative to both of roytam1's referenced browsers... At best, this is a project under development, a long distance away from maturity - despite the recent "stable" label, with very little customisation capabilities, no support yet (that I can see) for any browser extensions and, worse yet, the Vista compatible build has some additional shortcomings, due to the older version of Qt used in that... The Qt 5.10.1 versions (Win7+) of Otter have the "mediaservice" directory with wmfengine.dll inside it, this suggests Otter is capable of accessing WMF (system) decoders in Win7+; the Vista version (built on Qt 5.6.2) doesn't have this wmfengine.dll but instead has a "lib/gstreamer-1.0" subdirectory, which suggests that the build can't access Vista system codecs and media decoding is delegated to gstreamer instead ... Perhaps I am missing something obvious to experienced Otter users (e.g. the need to install gstreamer for Windows?), but I was unable to play ANY youtube video on my Vista SP2 laptop; in fact, when visiting www.youtube.com/html5 this is what I get: I wasn't willing to try installing gstreamer for fear it messes up with already installed codec packs, FWIW Vista isn't officially supported either: https://gstreamer.freedesktop.org/documentation/installing/on-windows.html So, for me at least, Otter will remain just a "curiosity" project I may check upon from time to time, not a match to New Moon 28.3.0a1 that I'm currently using for my main browsing needs...

Ya basically as long as roytam1 is putting out browsers that are extending the life of XP it will be usable after that its dead. Basically its all roytam1 lol

You mean ReactOS? You can try it, but it's nowhere close to a proper fully functional and updated OS, as its compatibility is Windows 2000/Windows XP, while it should really be at least Win7 to be considered functional these days. Anyway, I do understand that it's really difficult for developers to develop ReactOS without infringing any copyright, that's why it's very much based on Linux implementations like Mono and Wine that have been developed for years, but are still far from being perfect. An antivirus software that does its job is required as well. Whenever other people connect to your computer for any kind of reasons (like p2p) or whenever you visit a new website that you don't know or whenever one of your friends/coworker/family members/existing human being plugs in a USB Stick/Hard Drive there's a chance you can get infected. I strongly suggest you Avast, which will cover up any eventual new security issue, but keep in mind that an antivirus is not a cure for security vulnerabilities: if a new vulnerability is found and support is over, it will never be patched, which means that the Antivirus will try to block any threat that tries to use that vulnerability, but if it doesn't, the threat will successfully exploit it. There are rumours about the Microsoft Premium Support program. This type of support is aimed to keep businesses secure with constant support from Microsoft engineers and updates for the products used (to a certain extent). Will it include Windows XP and Server 2003 machines? It's likely Microsoft will continue to support XP and its derivatives as they are already supporting it (remember that businesses using XP weren't able to apply the POSReady registry entry and they are paying Microsoft for the Premium Support). In a nutshell: - Will Microsoft still support XP? Yes, it's very likely they will via their Premium Support program. - How much will it cost? You can ask Microsoft yourself by requesting a price quotation for your business at Microsoft, but it seems that it's going to be around $15000 per year. - Can a private and not a business apply? I have no idea, ask Microsoft. - Is it worth it? For private people who don't own a company like us, I think it's not. - Are there going to be exceptions? There might be exceptions if the security vulnerability found is really important and they might release an update for us all for free as they did for WannaCry. (But this is my assumption, so there's no guarantee they will). - Is there a chance that updates will be leaked by a hero wearing a cape? Very unlikely, as it would mean the immediate loss of support by Microsoft, a significant fee and prosecution. Nobody would be so stupid to risk it and even if some miracle patch appears by someone unknown, would you trust it? (I wouldn't). Last but not least, the main problem for XP users will be the compatibility with newer protocols like TLS 1.3, certificate handling like ECC, the new version of the .NET Framework, the .NET Core and so on. These are highly unlikely they'll ever be ported on XP, despite the fact that Microsoft said that they were working on supporting ECC months ago, but they kept it quiet and they didn't really talk about it, which makes me think that something went wrong down the road. I'm an encoder and a developer myself and I find incredibly difficult to support XP nowadays unless you are using C++ or using old version of a programming language like C#. For instance, I generally develop Windows programmes in C# using Windows Form and targeting .NET Framework 4, which is XP compatible, but not only new features of C# and SQL don't support XP, Microsoft doesn't even encourage to develop using it anymore as it wants you to use UWP with C# and XAML, using the .NET Core and Blend (for design) for cross platform compatibility at the expense of breaking compatibility with old version of Windows 10 (Legacy Windows like Win8.1 and lower are not supported). I've been recently asked to develop a programme this way so that they were able to distribute it as an App for tablets and phones. What about XP? Well, it will die a slow death as you will still be able to use it up to a point in which it will become unusable as nothing will work on it and even opening a simple internet page will almost be impossible.

The OS has nothing to do with browsing the web securely, that is the job of the browser you are using. Unless you are using internet explorer which is integrated into the Operating system. Your best bet is to use a prgram like Sandboxie and then sanbox your webbrowser inside a sandbox so it has no integration with the operating system at all. Then any other security problems are on the user yourself. That means if you download something and run it like an id*** than that is your fault not the operating systems,

Don't hold your breath.

Interesting. I don't understand why so much FUD is projected, in regards to XP's security. It's almost like some people get off on it. Truly perplexing. Considering the amount of software that is available for the Windows XP platform, I see little reason to upgrade in the near future. GNU/Linux is a viable alternative to XP, but even abandoned proprietary software is often times objectively better than whatever GNU has to offer.

Well, it won't become less secure ... the risk, as always, is that someone will discover and exploit a vulnerability that was always there. So I'd keep an eye on security fixes for the nearest supported OS (probably Server 2008). Any vulnerabilities discovered in that are probably in XP also. Usually M$ gives an assessment of what it would take for an attacker to successfully exploit a new vulnerability. A lot of times it turns out to require physical access to the PC; most of us needn't worry about those (unless we're using XP machines at work!) If an over-the-network vulnerability is discovered, we could probably just block the affected port with Windows Firewall, unless it's something we really need.

Looks like it will be a while before browsers supporting encrypted SNI come to the XP platform: If it's not even in the release builds of FF yet, I doubt we'll see it ported to Basilisk/Pale Moon (and thence to @roytam1's Serpent/New Moon) anytime soon.

Correct. So we can reasonably expect that Windows 7 will probably continue receiving Chrome updates until at least January 2022 three years from now. This ComputerWorld article addresses just that in addition to other milestones during Windows 7 end of life (EOL): https://www.computerworld.com/article/3322618/microsoft-windows/the-definitive-windows-7-retirement-timeline-countdown.html However, I believe that Windows 7 will persist with high market share for years due to the fact that Windows 10 has much higher system requirements (XD or NX bit execute disable bit processor, etc). In contrast, it was relatively easy to install Windows 7 on a Windows XP computer dating back to the original Pentium 233. Windows 7's market share in January 2022 probably will strongly influence Google's decision either way on whether or not to continue or discontinue support. Infected machines could wreak havoc on the rest of the Internet. Also, don't forget that Chrome 49 (49.0.2623.112 m) is still highly serviceable on Windows XP. I'm still using it nearly three years later! Adobe Flash Player updates for Chrome (PepperFlash) still work if you follow my instructions here: http://sdfox7.com/chromexp3.htm

Windows 7 will be the next Windows XP. Only a year of Windows 7 support left and it still has nearly 40% market share. The fact that Windows 7 turns 10 years old this year and still commands such high market share is a testament against the spyware and flawed updates that make up Windows 10. You'll never change my mind Even with Microsoft offering Windows 10 for free and using "unethical" methods to get people to unwittingly install, it couldn't kill Windows 7 quickly enough.