Mathwiz

That's fine, especially if you don't use it. Just turn it off and forget about it; there's no need to bother with add-ons. The add-on I found just toggles the same preference in about:config. It's strictly a convenience for those who use WebRTC but want it off during general browsing for greater privacy protection

Still available via the Classic Add-Ons Archive also.

Specifically, WebRTC leaks two bits of info that may compromise your privacy: Device ID hashes for your microphone & camera The IP address on your local network #1 can be used for browser fingerprinting, allowing the likes of Google and Facebook to secretly track your online activities; luckily it's mostly a problem for Chromium-family browsers, not for Firefox-family browsers like Basilisk. The latter browsers randomize the "salt" used in the hash whenever the browser is started, so unless you leave your browser session running for weeks at a time, the ability of anyone to use #1 as a secret tracking cookie is limited. #2 is more problematic though. It can reveal your "real" address behind a VPN, which could be used for censorship, or alert the authorities that you're accessing "banned" material. More commonly, it will reveal one of those non-routeable local IP addresses starting with 10. or 192.168 assigned by your (real or virtual) router. That's less worrisome, but if it doesn't change often, it too can be used in conjunction with your public IP for browser fingerprinting. If you don't need/use WebRTC, the website linked above contains instructions for disabling it and preventing those info leaks. But what if you do use it? One solution might be the WebRTC Control add-on. This adds a toolbar button that simply toggles WebRTC on or off, a la the popular Flash Disable add-on. So you can leave it off for normal browsing, but turn it on before going to a site that requires it. Edit: Should have checked first. Couldn't install WebRTC Control linked above. All three versions download OK but Basilisk reports that they all appear to be corrupt. Must be a bad hash somewhere Try the "classic" version of Disable WebRTC instead. I think a better solution would be an add-on with a white-list, which would enable WebRTC automatically, but only for sites like Discord and Skype. But I haven't yet found a Basilisk-compatible add-on that has such a white-list

Well, over the weekend CAA updated itself to version 1.2.3, overwriting the change you suggested. I reapplied the change and of course it works again, but obviously will have to do that every time CAA gets updated ... oh, well ....

I've heard of that problem before. KB4480077 updates .NET Framework 4 Client Profile; yet it may refuse to install unless .NET Framework 4 Extended is also installed. Looks like KB4470490 updates both Client Profile and Extended.

Well, that didn't take long. They're already up to 3.0.6.... Oooh ... High Dynamic Range ... wish I had an HDR monitor to try it on.

Yes, updating the .NET frameworks (especially .NET 4.0) always seems to take forever and a day.

Thanks! I have the legacy version, 1.1.2. I'll test 1.4.0 but I'm pretty sure it'll work since it works on @roytam1's version. Edit: It does work. I would have been surprised if it didn't. The WebExtensions API is inherently compatible with multiprocess mode; the next question was whether Basilisk 52 supported enough of the API, but since it works on the XP build that was all but certain to be true as well. Still, you never know about these things until you try them - especially when using an unsupported feature of the browser

Admittedly a kludge, but it does seem to work! I can now add Classic Add-Ons Archive back to my default profile, although Markdown Viewer must remain consigned to a separate Single-process mode profile. I'm still surprised multiprocess mode works in the first place. On my XP VM I could have just gone back to single-process mode and it would have been fine; but on Win 7 Basilisk kept freezing anytime another tab auto-updated in the "background" (until I discovered multiprocess mode works). So this kludge will still help me. Thank goodness for 7-zip too; it makes it easy to update files (like bootstrap.js) within .xpi files (like ca-archive@Off.JustOff.xpi).

Those values used to be there - I've seen them - but installing the latest IE8 update may have removed them. If they aren't there (they're gone from mine now too) don't worry about it. They were intended so that IE's registry keys could be configured the same for all OSes, but TLS 1.1 / 1.2 would still show up only on Win 7 and up, so they aren't needed now that TLS 1.1 / 1.2 work on XP.

Yep - it's KB4461614, a "security" update to MSO.dll. Same stupid mistake as the one that started this thread: it "secures" Office 2010 (including even free products like PowerPoint Viewer) by making sure it doesn't run at all on XP. 8-) Edit: Removed KB4461614 and PowerPoint Viewer runs OK again. Guess I'll have to hide it....

It looked to me like they've made a lot of progress - they have Office 2010 installing now - but there's also a ton of work left. Obviously Windows is a moving target. They have it mimicking XP pretty well, but that's just as XP (embedded at least) is reaching EoS and more vendors are dropping XP support. They really need to be mimicking Win 7 at this point, with an eye toward Win 8.1.... And sometimes they waste resources on side projects, like getting it to boot from btrfs disks ... nice (and they caught and fixed some bugs in the WinBtrfs driver in the bargain), but is that really as important as being able to run current software? If you can't do that, might as well stick with XP

In my case at least, extensions & favorites are stored in my profile folder. To find out where that is, open your old browser and type about:profiles. It will list all your profiles (most folks only have one) along with the paths to each. You can do the same thing in your new browser too. Once you know where both profiles are, you can copy everything from your old browser's profile folder to your new one. (Close both browsers first.) Even after copying everything to your new browser, you may still need to reinstall some add-ons. See post 1 in this thread for instructions on doing that. And of course, if you're changing browser platforms (e.g., from Firefox to NM), some add-ons may not be compatible with your new browser and you'll have to look for alternatives. Note: you don't need to go through all this when updating a browser to a newer version. Just back up the programs folder (e.g., C:\Program Files\basilisk or wherever you put yours) in case you need to revert, then copy everything from the update into the programs folder. No need to touch profiles in this case.

Well, spoke too soon. One of my add-ons has turned out to be incompatible with multiprocess mode: the Classic Add-Ons Archive mentioned by @VistaLover not long ago. Have to disable multiprocess mode and restart in order to use that add-on. Edit: And, just like that, I found another: Markdown Viewer, an add-on for reading .md files, doesn't work in multiprocess mode either; files just open as a blank tab. This one was more annoying since I was trying to set up Basilisk as the default program to open .md files. Ended up having to create a separate profile, which I named "Single-process mode", disable multiprocess mode in that profile, and edit the "open" command in the registry thus: "C:\Program Files (x86)\Basilisk\basilisk.exe" -no-remote -P "Single-process mode" -url "%1" (Took quite a bit of trial-and-error to figure that one out, too.)

It does install in (official) Basilisk, so I'm guessing probably Web Extension format. I'll try it in @roytam1's Serpent tomorrow; it'll probably work there as well. No documentation though; no idea how to set it up or use it.

Or this (ignore the references to Skype, and you can skip step 4 & 5 since you already installed KB4019276): BTW I recommend leaving TLS 1.0 enabled in step 11 for older Web sites that still need it; but it's your choice.

Well, try as I might, I can't get past 11.0.02. Every version newer than that one just locks up solid as soon as the Reader window opens. I'm sure it has something to do with the "Internet bar" they added in 11.0.03, because that's the one obvious change between .02 and .03. But I can't figure it out.

Just a quick explanation of SNI (Server Name Indication): It was added to (I think) TLS 1.2 to allow one server to host multiple secure web sites. The browser sends the server name in the TLS "ClientHello" message that initiates a secure connection, so the server knows which site's certificate to send back. I'm not actually sure if the recent TLS 1.1/1.2 updates for XP and IE8 included SNI support, but even if they didn't, it's supported by FF 52 ESR and its forks, including Pale Moon and Basilisk, all of which have XP-compatible versions. A recent criticism of SNI is that the server name is sent in plain text, which lets nosey ISPs see which web sites you're visiting. (With the demise of Net Neutrality in the US, your ISP could even block a specific web site or slow it down to uselessness.) So ESNI (Encrypted SNI) has been proposed to prevent this information leakage. ESNI is still very new, however, and it remains to be seen how widely it will eventually be adopted. At present, it's only available in nightly builds of the FireFox browser, which doesn't run on XP; and the Pale Moon team (so far) has no interest in it, so it won't be finding its way into @roytam1's XP-compatible versions of these browsers unless MC changes his mind. So, bottom line: at present XP does support TLS versions up through 1.3 and SNI (with third-party browsers) but does not support ESNI.

At this point it's premature to do anything more than preliminary research anyhow. The ESNI spec isn't even finalized yet. My hope is, if Mozilla adopts the changes, Google will follow; if that happens it'll be a lot tougher for MC to resist. But that's probably years down the road; by that time we'll be fighting to keep even Win 7 alive.

Yet another Office 2010 update: I don't even have Excel 2010 (only have PowerPoint Viewer) but I was offered the update anyway.

To enable TLS 1.2 in XP (for IE8, Chrome, Skype, and anything else that uses XP's native TLS support) follow the instructions here: For a tool to list all the updates you have, try NirSoft WinUpdatesList.

Strictly speaking, these are missing from IE8, not XP itself. If you use a modern Web browser (e.g., FF 52 ESR or one of its XP-compatible forks) instead of IE8, you'll have those features. ESNI, however, is unsupported (and will likely remain so, as discussed on the other thread).

Thank you for that excellent step-by-step guide. One note: there are still a few web servers around that don't yet support TLS 1.2. So in the last step (11), one may opt to leave TLS 1.0 checked (particularly if they use Chrome 49 or Advanced Chrome web browsers, which also use XP's Internet settings). That way their connection will use TLS 1.2 if it's available but fall back to TLS 1.0 if not. (No real reason to enable TLS 1.1 though; I've never seen a site that supports TLS 1.1 but not 1.2.) I wouldn't say TLS 1.0 is insecure by itself, but it does support several insecure cipher suites, so you may want to disable all cipher suites except AES (and perhaps 3DES; it's security was weakened by the "Sweet 32" attack, but as with TLS 1.2, there are still a few web sites that don't yet support AES, so you may need to leave it enabled for those). I've attached a .reg file to disable the old RC2 and RC4 cipher and MD5 hash algorithms: Disable insecure algorithms.reg

Personally, I'd like to see it, albeit as an "opt-in" option where I could select my own DNS servers rather than Mozilla or whoever selecting them for me. The idea is to try to get ESNI and DoH/DoT as common as HTTPS has become. But it's pretty clear from the two threads linked above that MC isn't interested. My only hope is that @roytam1 can merge the relevant commits directly from Mozilla's code.

Correct. There's a specific POSReady update to support AES, which robotbirds.co.uk supports as well. That should solve your cipher mismatch issue. There are other, more recent POSReady updates to support TLS 1.2, now required by several web sites. Can't remember the KB numbers but should be searchable at the POSReady thread. Note: some POSReady updates require an SSE2 processor. Not sure about these specific ones, but I don't think they do.