Jump to content

Internet Explorer 11 on Windows 7 (Retired!)


steven4554

Recommended Posts

2 hours ago, bphlpt said:

I NEVER use IE these days, but, just for you :) I tried it ( IE11 on Widows 7) and got a similar result to what you did, but it connected fine using SRWare Iron, a Chrome variant. IE11 indicated that I should "Turn on TLS 1.0, TLS 1.1, and TLS 1.2", but those were already turned on, and I did not pursue it further. If you can get it to work, I'll see if I can replicate it on my end.

Cheers and Regards

Thanks very much @bphlpt, that confirms what I found.
I don't use IE now either, but this actually came up on a friend's Windows 7 laptop, where he does still use IE11 as his browser.
I was surprised to find the same problem on Windows 8.1, and even more surprised to find that the problem isn't there on Windows 10, all apparently with the same IE11.
Very strange.
:dubbio:

Edited by Dave-H
Quote added as reply appeared on a new page
Link to comment
Share on other sites


I've read around here that most browsers are using the SSL/TLS capabilities of the system, except Mozilla Firefox family, which has that important certificate stuff embedded itself. So thought the site may just require some very modern cert. But interesting then that SRWare Iron runs too. If certs not culprit, perhaps different settings between the IE11 profiles, or some other OS module required?

Link to comment
Share on other sites

Could be, but as Windows 7, and certainly Windows 8.1, are still supposedly fully supported systems, why do they not have the necessary certificates for IE11 to display all current websites?
I hadn't heard anywhere that IE11 is not now considered to be a current supported browser, and it does still work on Windows 10!
:dubbio:

Link to comment
Share on other sites

I asked a friend of mine, who also uses Window 7, to also check it out. His response was:

Yeah I see that doesn't work in IE11. No idea why, and this is with all IE11 updates applied. 64-bit, 32-bit, and 32-bit without addons, none work.  Maybe that restaurant is for discerning customers only? 

:P 

Maybe someone could ask the restaurant's IT guy if they did something special? They might actually appreciate someone contacting them, since I wouldn't think they would want to exclude any potential customers.

Cheers and Regards

Link to comment
Share on other sites

https://www.cote.co.uk/
Hehe - LOL!! Am delighted to report that page OPENS in Win98 with roytams old K-Meleon-Goanna74! xD
(this is not even KM76, but 74 with engine of Palemoon26/Fox24)
And even with all my blocks up, incl blocked global javascript, which means the page looks empty but it does load the source, gets the page title, shows NO security errors, and a mini-content shows up when simply killing stylesheets. And with my usual UA of fake IE7.
To avoid misunderstandings, that does NOT mean the page were usable that way, no menus nor FAQ page etc. are displayed, am merely getting a few links to facebook+instagram and phone numbers. It just means the access is not blocked completely. The page is chock full with all sorts of scripts, with interesting source code like using xxx.WRITE (doc.write is blocked at least since FF38, but may be contained due to my old useragent), or html tags "@onclick"

Just meaning that pretty much rules out any required modern features or permissions as culprits for the completely denied access.
Still suspect the certs, but if true, that makes me wonder if Iron has some embedded ones too? Or (no idea) if weak certs are not disabled in whole system, only by browsers?

Edited by siria
Link to comment
Share on other sites

Only for the record, the site in question opens (and works) just fine on SRWARE Iron (Versione 43.0.2300.0) from my XP (SP2, yes, I know, don't ask).

As a side-side (really side) note, I noticed something somewhat "queer" (at least judged from my foreigner viewpoint):

Quote

An optional gratuity of 12.5% will be added to your bill. All gratuities go directly to the staff in our restaurants. Click here to find out more.

and:

Quote

Côte's Service Charge Policy

Any optional service charge that you leave is a direct reward for the staff who made your experience special. We therefore ensure that all service charge goes to the staff in the restaurant where it was given.

We provide every member of the team with a meal, soft drinks and, for those who work in the evening, a well-deserved drink at the end of the shift. A contribution towards the cost of this is covered from the service charge (£3 per shift). This policy is widely supported by our staff.

All remaining service charge is then distributed directly amongst the restaurant staff, including the waiting staff, the front of house team and the kitchen staff.

It is entirely your choice whether or not to pay this service charge. Please ask if you wish it to be removed.

It is perplexing :dubbio:.

jaclaz

Link to comment
Share on other sites

I must say that I knew about the first bit, but had never read the second bit! I wonder if any other restaurants do that?
Still, as long as the staff are happy!
Personally I never add tips to credit card payments in restaurants where it isn't included in the bill, as I want the money to go to the people who've served me, not to the restaurant owners!
Anyway, back on topic, I've now tried in other browsers, and for the record the site works fine in Google Chrome 49 on XP, and in the latest version of the Otter browser.
Opera 36 strangely displays the site but without the background video on the home page, so maybe that's what's causing the IE11 problem.
:dubbio:
 

Link to comment
Share on other sites

After further testing, trying to load the problem page (https://www.cote.co.uk), on Windows 7 Pro x64 it loads and works just fine on the following browsers except as noted:

SRWare Iron v72.0.3750.0 (64-bit)
Firefox v70.0.1 (32-bit)
Firefox v70.0.1 (64-bit)
Chrome v78.0.3904.97 (64-bit)
Opera Next v23.0.1522.28 -- No background video
Opera v65.0.3467.42
Slimjet v24.0.6.0 (based on Chromium 76.0.3809.87) (64-bit)
Vivaldi v2.9.1705.41 (Stable channel) (32-bit)
Vivaldi v2.9.1705.41 (Stable channel) (64-bit)
SeaMonkey v2.49.1
SeaMonkey v2.49.5 (64-bit)
IE v11.0.9600.19230 -- Doesn't work at all

Cheers and Regards

Link to comment
Share on other sites

Wow, thank you for all that testing @bphlpt!
Interesting that Opera Next 23 on Windows 7 produces the same result as Opera 36 does on XP, no background video, and yet Opera 65 works fine.
IE11 is the only one that refuses to display the site at all, and it's the same in Windows 8.1, but fine on Windows 10.
Bizarre!
:lol:
 

Link to comment
Share on other sites

If anyone can get IE to work it would probably be @NoelC, since that is his browser of choice, AFAIK.  You might PM him and ask if he would check it out for you. I am curious as to what is going on. He primarily uses Win8.1 these days, but I believe he has installations of both Win7 and Win10 he can use for this kind of testing.

Cheers and Regards

Edited by bphlpt
Link to comment
Share on other sites

@Dave-H : A check of "cote.co.uk" on SSL Labs Server test page

https://www.ssllabs.com/ssltest/analyze.html?d=www.cote.co.uk

confirms what has already been reported; just scroll down to the Handshake Simulation section:

jfYVgmH.jpg

... and see that IE11 only works on Win10 !

As to why, I think I have some clues: 

I couldn't help noticing how that server was configured: Only TLS 1.2 version is enabled, and only 3 cipher suites for that protocol version:

IbdMPfr.jpg

Now, IE11 uses the cipher suites available in the OS's "Microsoft Schannel Provider" library; however, different Windows versions support different sets of cipher suites:

https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel

Quote

Different Windows versions support different TLS cipher suites and priority order. See the corresponding Windows version for the default order in which they are chosen by the Microsoft Schannel Provider.

If one checks the available suites on Win7:

https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-7

one cannot find any of the three cipher suites needed for connection to the server in question... :(

OTOH, checking the available cipher suites on Win10 v1903:

https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903

one can find the first preferred (by the server) cipher suite, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, as available, hence the TLS 1.2 handshake succeeds and the site loads in IE11/Win10! :cheerleader:

However, I don't have answers as to why Chrome 49/WinXP[SP3] also succeeds, unless, of course, ProxyHTTPSProxy is used with it... ;)

BTW, Chrome 49 does open the site successfully here, Vista SP2 32-bit, but I do have installed WinServer 2008 updates that enable TLS 1.2 support:

L9F2itJ.jpg

Perhaps Chrome 49 has native support for that cipher suite and only uses the Windows Store for certificates, NOT using Schannel like IE does (I'm sorry, my Chrome related knowledge is limited, have only been a Firefox fan from the start!) :dubbio:...

Cheers :P

Edited by VistaLover
Link to comment
Share on other sites

@VistaLover
Highly interesting info, thanks! Especially this:

> Perhaps Chrome 49 has native support for that cipher suite and only
> uses the Windows Store for certificates, NOT using Schannel like IE does

So far I thought this Certs+Ciphers stuff were somehow 1:1 related, and all non-Mozilla browsers could only use the same pool. But obviously only IE is completely dependent on the OS.
Shocking for me to read: even Vista needs MS updates to get TLS1.2 support? I can understand that Win98 is much too outdated for native TLS1.2, but assumed all newer systems like XP had it long since by default, sigh.
And will finally have to store those great ssl-test links!

Link to comment
Share on other sites

8 hours ago, siria said:

Shocking for me to read: even Vista needs MS updates to get TLS1.2 support? I can understand that Win98 is much too outdated for native TLS1.2, but assumed all newer systems like XP had it long since by default, sigh.

... When Vista SP2 reached the end of Extended Support on April 2017, the EoS'd OS at the time was left with only TLS 1.0 native support; the same was true for XP SP3 when it reached its ES end in 2014.

Both these OSes can be upgraded to have native TLS 1.1+1.2 support using M$ official updates originally prepared for sibling OSes that had/have "End of Extended Support" dates way past the ones for the OSes in question...

XP users can get TLS 1.2 support by installing updates for (NT5.1) Embedded POSReady 2009 (which reached EoS earlier this year) and Vista users can do the same by installing update(s) for (NT6.0) Windows Server 2008, to reach EoS next January (2020); for Vista, you might read this ;) ; I'm afraid XP & Vista (and soon Win7) are no longer regarded as new systems; yes, they are newer compared to Win98 but otherwise "deprecated" by today's standards... :(

Regards

Edited by VistaLover
Link to comment
Share on other sites

Just for the record, on XP both Chrome 49 and Otter 1.0.81 open the Cote website fine without HTTPSProxy enabled.
Opera 36 does as well, but again without the background video.
My ancient version of Safari for Windows (5.1.7) also opens it, perhaps rather surprisingly, but it's not formatted very well.
IE8 doesn't want to know without HTTPSProxy of course, just producing a "page can't be displayed" message. With HTTPSProxy enabled it just produces a blank white page.
Thanks for all the research you've all done, especially @VistaLover, I really wasn't expecting all that!
I guess it is worth looking into though, as potentially other sites could have the same problem.
:)
 

Link to comment
Share on other sites

Even though it has been suggested that it might just be that the restaurant is for discerning customers only, I thought that this site's behavior was very bizarre. I figured that no restaurant would want to exclude any potential customers, even if it only excluded those still using IE11, which admittedly might not be a bad decision.

In my mind, this was a fault in the programming of the site. So unless the "missing" cipher suites, that Win 10 supports, are added to Win 7 and Win 8.1, this problem will continue to occur, because lazy site programmers will continue to exist, and will probably grow in number. Of course, those of us who never use IE if at all possible, and instead use a legitimate browser, might never run into the issue, but I think it is still worth knowing about. And I think it would be a good thing if all of the TLS and PSK cipher suites that Win 10 supports could be added to Win 7 and Win 8.1, if possible. TLS Cipher Suites in Windows 7 shows how to select the order of the cipher suites that are used by IE and your OS:

To add cipher suites, use the group policy setting SSL Cipher Suite Order under Computer Configuration > Administrative Templates > Network > SSL Configuration Settings to configure a priority list for all cipher suites you want enabled.

...but I believe that is only applicable to the cipher suites that are already a part of the OS, and to add any that aren't probably requires an update, like what was done with this one - https://support.microsoft.com/en-us/help/3161639. I have no idea whether it is possible to add the ones from Win 10 somehow, officially or un-officially, but it would be nice. Of course, if site programmers would just stick with Steve Gibson's cipher suite suggestions - https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt - that would also solve the problem.

I also thank @VistaLover for his testing and reporting his findings. Very informative.

Cheers and Regards

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...