TfL change to website security prevents older smart phones accessing their website

[Old Yard Dog]

Tfl seem to have "upgraded" their website cryptography (to TLS 1.2 and 1.3) so people with older smart phones can no longer access it. I've been on the phone to O2for hours and it took me and their gurus that long to work out what the root cause of the problem probably was.

This means that passengers with older phones can't get travel information when they are on the move (or not as the case may be). I'm not even sure why their website needs to be https and not http.

(I could of course be completely wrong about this, so please correct me if I am)

 

[xfield]

I'm not even sure why their website needs to be https and not http.

(I could of course be completely wrong about this, so please correct me if I am)

Google are pushing for all websites to be served over HTTP, and will soon start flagging them as "not secure" if served over HTTP.

https://security.googleblog.com/2016/09/moving-towards-more-secure-web.html

 

[Sacro]

Chrome and Firefox now flag all sites (including this one) as insecure if you're logging in over HTTP.

HTTPS is required to confirm that you're talking to the correct website and nobody in between is intercepting/interfering with the data.

Just checked and indeed only TLS1.2 is enabled on the server. This is the recommended configuration going forward (notwithstanding TLS 1.3 and higher).

Android 4.4 (came out nearly 3 years ago) or above is needed, see if your handset has updated firmware updated as there are probably a fair few security fixes since then too.

 

[09065]

You may find TfL also had to take action against Cloudbleed which was causing a leak of personal data over HTTP.

TfL being one of over 120000 sites at risk.

 

[yorkie]

What smartphone are you using, and what operating system is it running?

This means that passengers with older phones can't get travel information when they are on the move (or not as the case may be). I'm not even sure why their website needs to be https and not http.

You're not seriously suggesting you should be able to view your journey history and account details using a non-secure site?

 

[Hophead]

This TfL Digital blog entry from 25th January may confirm your suspicions:

Configuration to TLS 1.2 & 1.3 – Timings Confirmed

...We will be implementing this as a phased approach starting at 10.30 tomorrow morning (Thursday 26 January). Between 10:30 and 16:00 we’ll turn this on, and will be monitoring its performance.
If this goes as planned, we will make the permanent switch on Tuesday 31 January at 10:30.
To prevent any issues with using our data feeds, please could you make sure you have updated your tooling to support the newer versions of TLS by 10.30 tomorrow morning.....

 

[Sacro]

What smartphone are you using, and what operating system is it running?

You're not seriously suggesting you should be able to view your journey history and account details using a non-secure site?

You can do it on these forums, what percentage of users have unique passwords?

 

[Bletchleyite]

What smartphone are you using, and what operating system is it running?

You're not seriously suggesting you should be able to view your journey history and account details using a non-secure site?

I don't think anyone is suggesting personal details should be viewable on a non-secure site, but there is no reason that things like journey planning should not be, at least until 99+% of users are using a device capable of TLS 1.2.

(Though I don't care how secure my journey history is, without other personal information like address it's of no use to anyone - it's like if you find a key on the floor in the street - "security by obscurity" - you don't know which house it opens - makes it rather useless unless it's dropped outside the house it opens)

 

[Sacro]

I don't think anyone is suggesting personal details should be viewable on a non-secure site, but there is no reason that things like journey planning should not be, at least until 99+% of users are using a device capable of TLS 1.2.

(Though I don't care how secure my journey history is, without other personal information like address it's of no use to anyone - it's like if you find a key on the floor in the street - "security by obscurity" - you don't know which house it opens - makes it rather useless unless it's dropped outside the house it opens)

Looks like Android 4.2 and below is down to ~10% of market share, a lot of people won't stop using an outdated OS until forced off. Windows XP is similar percentage wise, increasing website security requirements will assist with lowering that too.

I wouldn't count that as "security by obscurity", there's no obscurity there. Obscurity would be moving the lock to make it more difficult.

 

[blakey1152]

My phone is currently broken and in for repair and in the meantime I'm using an antique Iphone 3s...and I can no longer access the TfL web site at all using Safari.

 

[sk688]

Don't know if this is just me, but having issues accessing tfl site on an iPhone 5s, ios 9.3.5, using Chrome and Safari

Also having issues on a Huawei P8 using Chrome or Opera, running 6.0.1

Anyone else with either of these two suffering issues, or is it just me. It just seems to be permanently rendering, on data or WiFi. Have soft reset both if that helps

 

[Sacro]

My phone is currently broken and in for repair and in the meantime I'm using an antique Iphone 3s...and I can no longer access the TfL web site at all using Safari.

Running IOS 6? That should support TLS 1.2 just fine.

 

[Temple Meads]

Don't know if this is just me, but having issues accessing tfl site on an iPhone 5s, ios 9.3.5, using Chrome and Safari

Also having issues on a Huawei P8 using Chrome or Opera, running 6.0.1

Anyone else with either of these two suffering issues, or is it just me. It just seems to be permanently rendering, on data or WiFi. Have soft reset both if that helps

Working fine on Chrome using my Huawei P8, using Android 5.0.1.

 

[blakey1152]

Running IOS 6? That should support TLS 1.2 just fine.

IOS 4.....its the highest the phone will support..lol

 

[Sacro]

IOS 4.....its the highest the phone will support..lol

3S supports 6.1.6. Sure you haven't got a 3G?

 

[jayah]

Looks like Android 4.2 and below is down to ~10% of market share, a lot of people won't stop using an outdated OS until forced off. Windows XP is similar percentage wise, increasing website security requirements will assist with lowering that too.

I wouldn't count that as "security by obscurity", there's no obscurity there. Obscurity would be moving the lock to make it more difficult.

It is enough of a battle to try and get the 50% of the population not on mobile data to use it at all, without trying to force them off again.

It is about money pure and simple - 'outdated OS' equals more expensive and unnecessary hardware and more dosh for Microsoft, Apple etc...

 

[najaB]

It is about money pure and simple - 'outdated OS' equals more expensive and unnecessary hardware and more dosh for Microsoft, Apple etc...

Yeah. Nothing at all to do with older hardware (and more importantly software) not being secure any more. :roll:

 

[thelem]

It is enough of a battle to try and get the 50% of the population not on mobile data to use it at all, without trying to force them off again.

It is about money pure and simple - 'outdated OS' equals more expensive and unnecessary hardware and more dosh for Microsoft, Apple etc...

No, it's about security. The bigger question is why does Android from 2013 not support a version of TLS from 2008?

The Payment Card Industry standard (PCI-DSS) requires people to move to a secure version of TLS, at a minimum 1.1 but 1.2 is recommended. Expect more sites that take card payments to drop support for TLS 1.1.

https://blog.pcisecuritystandards.org/migrating-from-ssl-and-early-tls
https://support.cloudflare.com/hc/en-us/articles/205043158-PCI-3-1-and-TLS-1-2

 

[Sacro]

Yeah. Nothing at all to do with older hardware (and more importantly software) not being secure any more. :roll:

Very little chance the hardware isn't secure, usually it's because the manufacturer has made their money and moved onto the next model.

The XDA Developers Forum has sub forums for many different handsets where people are building custom newer versions of Android which shows that an old handset is more than capable of running a newer release if someone is bothered to get it working.

 

[najaB]

Very little chance the hardware isn't secure, usually it's because the manufacturer has made their money and moved onto the next model.

Not necessarily true. In the general case there have been issues with functions built into silicon being security issues. I have no idea if they affect any smartphones though.

The XDA Developers Forum has sub forums for many different handsets where people are building custom newer versions of Android which shows that an old handset is more than capable of running a newer release if someone is bothered to get it working.

And that is fine. But explain to me why a manufacturer should spend resources (time, money) building new software releases for hardware in perpetuity?

 

[JaJaWa]

And that is fine. But explain to me why a manufacturer should spend resources (time, money) building new software releases for hardware in perpetuity?

Apple now provides software updates for 5 years since the handset's original release data. It's a shame the Android manufacturers struggle to scrape 1 year.

 

[talldave]

Apple now provides software updates for 5 years since the handset's original release data. It's a shame the Android manufacturers struggle to scrape 1 year.

Presumably, Apple's overpriced products give them the budget to do so.

But to build upon najaB's point, apart from fixing errors and security flaws, why should a manufacturer update a product after sale? Has your washing machine had any new features added since it was installed? Did your local dealership swap your car stereo for this year's model when the car was last in for servicing? Did Coldplay email you a couple of extra tracks to go with their last album? No, I didn't think so.

 

[bahnause]

Presumably, Apple's overpriced products give them the budget to do so.

But to build upon najaB's point, apart from fixing errors and security flaws, why should a manufacturer update a product after sale?

Long-term customer retention. Customers might switch to other products if these offer new fancy features. After-Sales-Management is a very important aspect. In a business related environment, it makes even more sense to plan in a longer term (especially if you have connections to other systems like Exchange). We went for "overpriced" iPads and saved a lot of money

 

[Doctor Fegg]

Google are pushing for all websites to be served over HTTP, and will soon start flagging them as "not secure" if served over HTTP.

Indeed, because HTTPS prevents third parties from injecting ads and tracking your browsing history.

Coincidentally, Google's business is selling ads, targeted to you based on your browsing history.

 

[itfcfan]

Indeed, because HTTPS prevents third parties from injecting ads and tracking your browsing history.

Coincidentally, Google's business is selling ads, targeted to you based on your browsing history.

I'm afraid you may have higher hopes for HTTPS than are warranted. HTTPS ensures the communication between the browser and the webpage cannot be hijacked (providing up-to-date ciphers are used and depending on what undisclosed capabilities certain "security" organisations have). It does not prevent ads being injected (from other HTTPS enabled hosts) or browser history being tracked (using cookies on other HTTPS enabled hosts).

 

[najaB]

It's a shame the Android manufacturers struggle to scrape 1 year.

That depends on which Android manufacturer you are speaking about. I recently received an OTA update for my Nexus 4 which must be pushing on close to five years old now.

 

[JaJaWa]

That depends on which Android manufacturer you are speaking about. I recently received an OTA update for my Nexus 4 which must be pushing on close to five years old now.

To the latest version Android 7.1?

 

[najaB]

To the latest version Android 7.1?

No, of course not. The hardware doesn't support it. It was a 5.1.x security update.

 

[JaJaWa]

No, of course not. The hardware doesn't support it. It was a 5.1.x security update.

Apple gives you 5 years of full releases I mean (e.g. iOS 5 to iOS 10), not just security patches

 

[Dr_Intoxicated]

Presumably, Apple's overpriced products give them the budget to do so.

But to build upon najaB's point, apart from fixing errors and security flaws, why should a manufacturer update a product after sale? Has your washing machine had any new features added since it was installed? Did your local dealership swap your car stereo for this year's model when the car was last in for servicing? Did Coldplay email you a couple of extra tracks to go with their last album? No, I didn't think so.

There is a difference between hardware and software, I do expect software updates especially concerning security.

Most software is covered by a Licence agreement the software still belongs to the original company and therefore the case is more akin to a rental than a purchase in which case servicing, repairs etc. are expected to be part of the package .