TfL change to website security prevents older smart phones accessing their website

[najaB]

Apple gives you 5 years of full releases I mean (e.g. iOS 5 to iOS 10), not just security patches

They won't be able to if/when there are major hardware requirement changes.

 

[najaB]

Most software is covered by a Licence agreement the software still belongs to the original company and therefore the case is more akin to a rental than a purchase in which case servicing, repairs etc. are expected to be part of the package .

For a set period, yes. However there comes a point where technology has moved on and devoting resources to support a smaller and smaller installed base is counterproductive.

Or do you think Microsoft should still be providing updates for Windows 95?

 

[Sacro]

No, of course not. The hardware doesn't support it. It was a 5.1.x security update.

Yes it does, there's at least 10 7.1 based ROMs on XDA. This is purely down to Google abandoning official support for it.

 

[najaB]

Yes it does, there's at least 10 7.1 based ROMs on XDA. This is purely down to Google abandoning official support for it.

The question of Android compatibility is always an interesting one due to its FOSS nature.

Unpatched, native Android 7.x won't run on the Nexus 4 as there isn't a system driver for the chipset. You can take the 7.0 code and rewrite parts of it to make it work on older hardware. However, my personal experience has been that these ROMs are less stable than official sources so I don't use them.

So, yes, I should have written 'The hardware isn't officially supported'.

 

[infobleep]

Presumably, Apple's overpriced products give them the budget to do so.

But to build upon najaB's point, apart from fixing errors and security flaws, why should a manufacturer update a product after sale? Has your washing machine had any new features added since it was installed? Did your local dealership swap your car stereo for this year's model when the car was last in for servicing? Did Coldplay email you a couple of extra tracks to go with their last album? No, I didn't think so.

Some beads do give away free tracks or even preview tracks if you buy online in advance.

The whole point with digital is that you can update it and improve it.

If you own a Window computer, do you think Microsoft should provide security updates for Windows or should you buy a fresh copy of Windows every month?

Microsoft still supporting Windows 7.

 

[infobleep]

They won't be able to if/when there are major hardware requirement changes.

They can, unless they radically change the architecture. Its just that the new features won't work.

NY radical I mean switch changes from classic Mac OS to Initial chips.

 

[infobleep]

For a set period, yes. However there comes a point where technology has moved on and devoting resources to support a smaller and smaller installed base is counterproductive.

Or do you think Microsoft should still be providing updates for Windows 95?

They only ended support for Window XP in 2015. They are still supporting Windows 7. Those are more than 5 years old.

 

[najaB]

Microsoft still supporting Windows 7.

But not 3.0, 3.11, 95, 98, Me, etc. There comes a point where the installed base is so small and the hardware so old that there is simply no commercial reason to support it any more.

It costs *MONEY* to support old hardware/software. Why should a company spend it's resources supporting users who happened to spend a little bit of money years ago?

(By the way, Windows 7 goes End of Life in 2020, Vista has just over a month to go).

 

[najaB]

They only ended support for Window XP in 2015. They are still supporting Windows 7. Those are more than 5 years old.

Microsoft has their own release schedule. They support OSs for longer than Apple supports iPhones because they release new OSs much less frequently.

 

[rebmcr]

HTTPS [...] does not prevent ads being injected (from other HTTPS enabled hosts)

Yes it does. "HTTPS enabled" doesn't mean it gets access to a common pool; every connection is encrypted end-to-end and the transmitted page arrives in exactly the same condition as it left.

Those pages could include ads, but your ISP (for example BT) would not be able to inject extra ones en route.

 

[sk688]

Apple gives you 5 years of full releases I mean (e.g. iOS 5 to iOS 10), not just security patches

But by the second of third update they tend to slow down quite a bit, and miss out quite a few features

Look at iphone 4 on ios 7, 4s ios 8 and 9

My huawei p8 may stay on marshmallow and not get android nougat, but it will get security updates and won't slow down either

I fact I was worried that ios 10 would slow down my 5s, so I have kept it on ios 9.3.5 ( among other reasons, such as ios 10 being a buggy, ugly mess, compared to 9)

 

[itfcfan]

Yes it does. "HTTPS enabled" doesn't mean it gets access to a common pool; every connection is encrypted end-to-end and the transmitted page arrives in exactly the same condition as it left.

Those pages could include ads, but your ISP (for example BT) would not be able to inject extra ones en route.

I think we're talking at cross purposes. I'm considering all the 3rd party JS that most sites (mid-sized and large) add to their pages. Each of those 3rd party snippets can then inject their own scripts to show ads and/or track users as desired. These range from relatively "responsible" (i.e. GTM - Google Tag Manager) to the kind you might find on less salubrious websites! To be clear these third parties operate with the authorisation of the website owner (unless the site or 3rd party script has been hacked) but are often not desired by the users.

 

[rebmcr]

I think we're talking at cross purposes. I'm considering all the 3rd party JS that most sites (mid-sized and large) add to their pages. Each of those 3rd party snippets can then inject their own scripts to show ads and/or track users as desired. These range from relatively "responsible" (i.e. GTM - Google Tag Manager) to the kind you might find on less salubrious websites! To be clear these third parties operate with the authorisation of the website owner (unless the site or 3rd party script has been hacked) but are often not desired by the users.

Agreed, but injection is the wrong word for this, and only confuses matters.

 

[Via Bank]

They only ended support for Window XP in 2015. They are still supporting Windows 7. Those are more than 5 years old.

And frankly, people like me who work in the industry would rather they abandoned support for these outdated, slow, and insecure relics sooner rather than later.

Trying to support older operating systems is a genuine pain in the neck, as anyone who can recall the horrors of IE6, or has tried to make a relatively complex website render nicely on any Android below 4.4, will attest.

 

[infobleep]

And frankly, people like me who work in the industry would rather they abandoned support for these outdated, slow, and insecure relics sooner rather than later.

Trying to support older operating systems is a genuine pain in the neck, as anyone who can recall the horrors of IE6, or has tried to make a relatively complex website render nicely on any Android below 4.4, will attest.

I agree. I doubt some people higher up in larger orgnsiations would.

 

[Comstock]

For a set period, yes. However there comes a point where technology has moved on and devoting resources to support a smaller and smaller installed base is counterproductive.

Or do you think Microsoft should still be providing updates for Windows 95?

No.

The question is where do you draw the line.

I may have missed something but I think this will affect the relatively recent Galaxy S3. A phone not yet five years old, that was far from cheap to buy new. Some people may have brought them new as recently as 2014.

 

[najaB]

The question is where do you draw the line.

I agree. However, rather than looking at it in years, look at it in product generations. Windows Vista (which goes EOL this year) is four generations old, same as the Galaxy S3 so it's actually comparable.

 

[Comstock]

I agree. However, rather than looking at it in years, look at it in product generations. Windows Vista (which goes EOL this year) is four generations old, same as the Galaxy S3 so it's actually comparable.

I'm not sure you can do that. Windows generations have longer lifespans.

Arguably at least part of the problem lies with Samsung and Android and their short life cycle.

Hopefully as smartphones mature as a technology the life spans will become longer..

 

[jon0844]

Apple gives you 5 years of full releases I mean (e.g. iOS 5 to iOS 10), not just security patches

The comparison isn't quite that simple. Google separates a lot of core functions from the OS itself, so even old devices many years old will be having the Play Services updated, browser updates, keyboard updates and all other core apps.

Google does make manufacturers support for 2 years but it can't force them so the best solution is to pick your device carefully. It's only really the old Nexus and current Pixel phones that are assured timely updates, Apple style.

 

[rebmcr]

The question is where do you draw the line.

I may have missed something but I think this will affect the relatively recent Galaxy S3. A phone not yet five years old, that was far from cheap to buy new. Some people may have brought them new as recently as 2014.

The bigger question is why does Android from 2013 not support a version of TLS from 2008?

thelem hit the nail on the head here. TLS 1.0 has been on death row for a LONG time already, and has already had more than the reprieve called for in this thread.

 

[najaB]

Arguably at least part of the problem lies with Samsung and Android and their short life cycle.

That is, actually, the exact point I'm making. Microsoft supports OS releases for longer (in real time terms) because they are less frequent.

 

[Old Yard Dog]

They only ended support for Window XP in 2015. They are still supporting Windows 7. Those are more than 5 years old.

I refused a free upgrade from Windows 7 to Windows 10 because my copy of Office 2007, which I am perfectly happy with and costs me nothing, would probably not work on Windows 10. I would then have to pay an annual fee for the latest version.

 

[Old Yard Dog]

What smartphone are you using, and what operating system is it running?

Samsung Galaxy Ace 2 & Android 4.1.2. I was given it as a Christmas present in December 2012 and expect it to have a useful shelf life rather longer than 4 and a bit years.

You're not seriously suggesting you should be able to view your journey history and account details using a non-secure site?

Of course not. But TfL make you use their secure site https://tfl.gov.uk to access their journey planner even though you don't need to login. I would have thought that a secure site is only needed for e.g. people wanting to manage their Oyster cards.

 

[najaB]

I refused a free upgrade from Windows 7 to Windows 10 because my copy of Office 2007, which I am perfectly happy with and costs me nothing, would probably not work on Windows 10.

Microsoft says otherwise.

 

[najaB]

I would have thought that a secure site is only needed for e.g. people wanting to manage their Oyster cards.

As noted above, there is considerable support for the depreciation of HTTP and using HTTPS by default instead.

 

[Doctor Fegg]

Agreed, but injection is the wrong word for this, and only confuses matters.

Yes. When I wrote of third-party injection I meant the third party to a client/server connection (e.g. an ISP), rather than external scripts willingly added to the content by the server's administrators.

 

[AY1975]

I had that problem when I was in London three weeks ago. When I tried to access the TfL site on my HTC Android phone, it said web page not available. I just presumed that the site was down. I've just tried again, and it still doesn't work if I use the ordinary web browser on my phone, but it does work in Chrome - worth trying if you also have Chrome on your phone.

I've also found that I occasionally get a less user-friendly version of some other websites if I haven't downloaded all the latest system updates. Again I have this problem if I use the ordinary browser, but not when I use Chrome.

 

[Olaf]

Tfl seem to have "upgraded" their website cryptography (to TLS 1.2 and 1.3) so people with older smart phones can no longer access it. I've been on the phone to O2for hours and it took me and their gurus that long to work out what the root cause of the problem probably was.

This means that passengers with older phones can't get travel information when they are on the move (or not as the case may be). I'm not even sure why their website needs to be https and not http.

(I could of course be completely wrong about this, so please correct me if I am)

Old smart phones have been at risk for a long time - particularly Android handsets. If you have anything prior to Android 6 you are recommended to just throw it away.

 

[najaB]

If you have anything prior to Android 6 you are recommended to just throw it away.

Interesting, I hadn't heard that. Any chance of a link?

 

[Ambient Sheep]

But to build upon najaB's point, apart from fixing errors and security flaws, why should a manufacturer update a product after sale? Has your washing machine had any new features added since it was installed? Did your local dealership swap your car stereo for this year's model when the car was last in for servicing? Did Coldplay email you a couple of extra tracks to go with their last album? No, I didn't think so.

The difference is, my washing machine doesn't suddenly stop washing certain types or brands of clothes that it used to do before. My car stereo doesn't suddenly stop playing half the cassettes and/or CDs that it used to. It's not a great analogy.