

Microsoft is holding back the secure web - jgrahamc
http://blog.jgc.org/2012/04/microsoft-is-holding-back-secure-web.html

======
zokier
I think it is completely unrealistic to even think that MS would add SNI to XP
anymore. 5 years ago, maybe? But now, that's ridiculous.

And I strongly disagree with the title that MS is the one holding secure web
back. I'd blame the users (both corporations and personal ones) who won't
upgrade, either to modern browser or a modern OS.

edit: Additionally those nice graphs are misleading. I bet other (SNI
supporting) browsers have significant market share on XP too. Compare the
market share of IE <9 (<20%) to XP (33%). And some of those IE8 users probably
are on Vista/7.

edit2: And if we look at IE8 market share trend, it has been steadily
decreasing for the past year. I feel safe to say that in a year it has
decreased to a low enough percentage so that it can be ignored.

~~~
mattmanser
While Windows 7 is great and all and I love it compared to XP, what does it
actually give you to justify the price?

Pretty much sod all.

That's why users haven't forked out money. If it comes free with the new
computers, fine. I reckon we'll be seeing it for another couple of years.

But don't blame the users, blame the utter lack of progress by MS.

~~~
monkeyfacebag
"While Windows 7 is great and all and I love it compared to XP, what does it
actually give you to justify the price?"

I think the UI improvements alone (desktop search, Aero Snap) are worth the
price. Isn't this how Apple justifies charging for new versions of OS X? I
still use XP from time to time and 7 is far and away a better experience.
FWIW, I think it also provides a better experience than OS X, although, sadly,
without the benefit of a POSIX layer.

"blame the utter lack of progress by MS"

It's not like MS has been sitting on their hands of late. Kinect demonstrates
this. Windows 8 demonstrates this. I just don't think there's an appetite for
MS progress or innovation. What people like about Windows computers isn't (and
hasn't been for a long time) Windows. It's pretty hard to innovate when no one
wants what you're selling.

To be fair, I don't "blame the users" for this. When MS had a tight grip on
computing, they did little to make their products more compelling and they are
realizing the consequences of this now: Windows' name is mud.

~~~
zokier
>I just don't think there's an appetite for MS progress or innovation. What
people like about Windows computers isn't (and hasn't been for a long time)
Windows. It's pretty hard to innovate when no one wants what you're selling.

Good point. There is another side in here too: many people want to keep using
the old systems they have learnt, instead of new better systems. Eg the
backslash of Ribbon. It's pretty hard to innovate when on one wants anything
to change.

~~~
bediger4000
Is an "innovation" that nobody wants really innovation, or merely change-for-
changes-sake?

I think that if something is better, then people will want it, steal it even.
Take those un-skippable previews on some DVDs: people cite them as reasons to
scrounge up pirate versions of DVDs. Oh, and how about those abominable
"region codes" on DVDs? Are those "innovation" or merely a monopoly-enabled
form of price fixing?

~~~
monkeyfacebag
> Is an "innovation" that nobody wants really innovation, or merely change-
> for-changes-sake?

It's not clear, at least to me, that nobody wants Microsoft's innovations. I
think it's more that they don't want them from _Microsoft_. Windows is a tough
beast to change. The near ubiquity of the platform in the 90s and 00s means
that there's a lot of people out there who "imprinted" on the Windows UI
model.

It doesn't just affect Microsoft, though it may affect them disproportionately
because of brand association. While OS X is a screaming success now, Apple's
transition from OS 9 was anything but. It took 3 major revisions of the
software before it was usable and a lot of people hated it at the time.

In contrast, Apple's introduction of iOS received a much warmer reception
because there was no incumbent. Changing a major technology platform is hard.

------
pedrocr
Looking at the Wikipedia page for SNI it's actually Google that's holding back
the secure web. Android 2.x doesn't support SNI and according to the Wikipedia
webstats that's more than 90% of the Android mobile web users (25% of the
total mobile web usage). That's for a product released in 2009, after XP
stopped being sold.

~~~
seanp2k2
See also: the awesome that is WebDAV. Very similar story as SNI.

------
pilif
The generally lacking support of SNI is such a shame.

Especially when you consider that there are currently two forces in move that
clearly work against each other:

On one end you have cool stuff like SPDY and more and more pervasive proxies
altering HTTP data on the fly which makes SSL more and more interesting.

On the other hand, we are running out of IPv4 addresses, making it harder and
harder to use one address per virtual host.

So even though we are much more motivated to use SSL these days, the growing
difficulty of acquiring IP addresses makes it harder and harder.

~~~
zokier
You are conveniently ignoring IPv6 which IE on XP actually supports. Maybe
instead of buggering MS to add features to a dead OS we should be buggering
ISPs to get on the IPv6 train.

~~~
pilif
I was't buggering MS either. I was just stating the state of affairs (as other
comments state, Android is equally broken).

I can't tell you what's more likely: To get both XP and Android fixed or to
get wide-spread IPv6 deployment.

I have a feeling though that it's probably more likely that we see XP dead and
Android fixed than we are going to see the current bulk of XP users
(Corporations with crazy firewalls and users of pirated XP in Asia) having
IPv6 connectivity.

I would love to be proven wrong though as I see IPv4 scarcity to be a much
bigger threat to a free internet than anything else.

~~~
zokier
>I was't buggering MS either. I was just stating the state of affairs (as
other comments state, Android is equally broken).

It wasn't my intention to pick you out specifically. I aimed that comment to
the whole community.

>I can't tell you what's more likely: To get both XP and Android fixed or to
get wide-spread IPv6 deployment.

I think that latter is far more likely. While IPv6 adoption has been
relatively slow so far, still there has been constantly _some_ progression. So
I feel that there is fair chance for wide-spread IPv6 _eventually_. On the
other hand, I'm almost certain that MS will not add SNI to XP _ever_.

------
HerraBRE
As a side-note, it is not just IE that is affected, any browser which relies
on the bundled OS encryption libraries has the same problem.

It has been a while since I checked (I did a fair bit of SNI-related research
for the HTTPS support in <https://pagekite.net/>), but at the time Chrome and
Firefox on XP also lacked SNI support on WinXP for [edit: what I assumed was]
this reason.

I think Chrome has since bundled their own crypto code so recent versions of
Chrome on XP do work, but I am not sure about Firefox. I didn't test Opera.

This was also an issue on Linux desktops relatively recently, for alternative
browsers like wget and KDE's Konqueror.

~~~
zokier
I thought Mozilla (and thus Firefox) have always used their own crypto
library, NSS: <http://www.mozilla.org/projects/security/pki/nss/>

~~~
HerraBRE
You're right, but it still didn't work when I tested it. Looks like I should
have dug deeper to figure out why, instead of just "blaming XP".

------
AndrewDucker
XP is dead in two years (April 2014 is the end of any kind of support for it).
I cannot see how it is in Microsoft's interests to put out new functionality
for it at this point.

Any large corporation will have switched away from it by then (their risk
assessments will force that), so that's the point you can start using the new
functionality.

------
macarthy12
Asia is more the issue than XP actually. XP is used in Asia mostly because it
is easy to use a cracked version (i.e. free) and it runs most popular windows
programs etc. (low hardware reqs too) So if MS just released a cheaper version
of their OS in Asia (africa and south america too) of their OSes then we could
all move on.

~~~
zokier
That's what Starter Edition is.

~~~
HerraBRE
If Starter Edition lacks the "easily pirated" feature, then it can't really
displace Windows XP in these cases.

~~~
kijin
I like this idea. MS should drop the price on Win 7 Starter / Home Basic to
something like $9.95 after Win 8 is released. Then run a massive campaign to
promote the security benefits of the "freshly outdated" version. If they do
this well, they could easily rake in a few dozen million dollars without
hurting the Win 8 market.

------
brudgers
> _"It's been around in various incarnations since 2004."_

XP was released in 2001.

[edit for comment] TLS 2.0 which included SNI was released in 2006. Windows
Vista which included IE7 was released in 2006/2007. [/edit for comment]

Microsoft may be guilty of many sins, this is not one of them.

~~~
zokier
IE7 and IE8 both support Windows XP, but sans SNI. They could have shipped
Vista version of their SSL library with IE7/8 but they didn't.

~~~
brudgers
Given the changes between Vista and XP particularly in the area of security,
it's not certain that it was simply a matter of shipping the Vista version of
Schannel to XP customers.

What evidence do you have that implementation would have been trivial?

~~~
zokier
No evidence obviously. Just a silly notion that SSL would be a well
encapsulated standalone user-space library, and inherently fairly portable. In
hindsight, that _was_ naïve from me.

------
nirvdrum
While I concede this is a problem for those wanting to do mass hosting of SSL,
I'd hardly say that's what's holding back the secure web. Way too many devs
outright refuse to run on SSL in situations where it would work just fine.
Some have old notions of computational overhead of encryption. Many are
concerned about what SSL does to caching. It's just hyperbole to blame
Microsoft for this. The note about when SNI was released is illustrative of
that, since mod_ssl didn't support SNI until quite recently. Prior to that,
one had to use mod_gnutls which created a whole raft of different issues.

~~~
zokier
Well, SSL definitely incurs a performance penalty even these days when actual
encrypting is relatively cheap: <http://www.semicomplete.com/blog/geekery/ssl-
latency.html>

~~~
nirvdrum
True. But the argument I hear most often is that they can't run as many
processes because of the SSL overhead. But, that aside, even if the latency is
the problem, that's certainly not going to be solved by XP supporting SNI.

------
omh
This looks like a precursor to what we can expect with IPv6.

A significant minority of users are going to be on old operating systems that
can't or won't be upgraded to support IPv6, and servers will have to make the
choice about whether to exclude them or not.

