Surprisingly, Using IE11 on Win 10 Behaves "Better" than on Win 7 & Win 8.1 on Some Sites, and Why

Discussion in 'Interesting/Unrelated' started by bphlpt, Nov 20, 2019.

  1. bphlpt

    bphlpt A lowly staff member Staff Member

    Those of you that keep up with the shoutbox might have noticed my mentioning a problem that Dave-H over at MSFN noticed when trying to access a site ( https://www.cote.co.uk/ ) using IE11 while on either Win 7 or Win 8.1, while it loaded just fine on Win 10. My further testing found that the site loads and works just fine on Win 7 Pro x64 using all of the following browsers except as noted:

    SRWare Iron v72.0.3750.0 (64-bit)
    Firefox v70.0.1 (32-bit)
    Firefox v70.0.1 (64-bit)
    Chrome v78.0.3904.97 (64-bit)
    Opera Next v23.0.1522.28 -- No background video
    Opera v65.0.3467.42
    Slimjet v24.0.6.0 (based on Chromium 76.0.3809.87) (64-bit)
    Vivaldi v2.9.1705.41 (Stable channel) (32-bit)
    Vivaldi v2.9.1705.41 (Stable channel) (64-bit)
    SeaMonkey v2.49.1
    SeaMonkey v2.49.5 (64-bit)
    IE v11.0.9600.19230 -- Doesn't work at all

    Though Trouba suggested that it might just mean that restaurant is for discerning customers only, I thought that this was very bizarre. I figured that no restaurant would want to exclude any potential customers, even if it only excluded those still using IE11, which admittedly might not be a bad decision.

    Anyway, VistaLover, also over at MSFN, did some more testing and seems to have discovered the reason for the site's behavior. In my mind, this was a fault in the programming of the site. For the TLDNR among us,

    IE11 uses the cipher suites available in the OS's Microsoft SChannel Provider library, and Win 10 supports different TLS cipher suites and priority order than Win 7 or Win 8.1.

    So unless the "missing" cipher suites are added to Win 7 and Win 8.1, this problem will continue to occur, because lazy site programmers will continue to exist, and will probably grow in number. Of course, those of us who never use IE if at all possible, and instead use a legitimate browser, might never run into the issue, but I think it is still worth knowing about. And I think it would be a good thing if all of the TLS and PSK cipher suites that Win 10 supports could be added to Win 7 and Win 8.1, if possible. TLS Cipher Suites in Windows 7 shows how to select the order of the cipher suites that are used by IE and your OS:


    ...but I believe that is only applicable to the cipher suites that are a part of the OS, and to add any that aren't probably requires an update, like what was done with this one - https://support.microsoft.com/en-us/help/3161639. I have no idea whether it is possible to add the ones from Win 10 somehow, officially or un-officially, but it would be nice. Of course, if site programmers would just stick with Steve Gibson's cipher suite suggestions - https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt - that would also solve the problem.

    Here's VistaLover's testing results:

    =================================================================================

    https://msfn.org/board/topic/159082...-retired/page/5/?tab=comments#comment-1173213


    -----------------------------------------


    @Dave-H : A check of "https://www.cote.co.uk/" on SSL Labs Server test page

    https://www.ssllabs.com/ssltest/analyze.html?d=www.cote.co.uk

    confirms what has already been reported; just scroll down to the Handshake Simulation section:

    [​IMG]

    ... and see that IE11 only works on Win10 !

    As to why, I think I have some clues:

    I couldn't help noticing how that server was configured: Only TLS 1.2 version is enabled, and only 3 cipher suites for that protocol version:

    [​IMG]

    Now, IE11 uses the cipher suites available in the OS's Microsoft SChannel Provider library; however, different Windows versions support different sets of cipher suites:

    https://docs.microsoft.com/en-us/windows/win32/secauthn/cipher-suites-in-schannel


    If one checks the available suites on Win7:

    https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-7

    one cannot find any of the three cipher suites needed for connection to the server in question... [​IMG]

    OTOH, checking the available cipher suites on Win10 v1903:

    https://docs.microsoft.com/en-us/windows/win32/secauthn/tls-cipher-suites-in-windows-10-v1903

    one can find the first preferred (by the server) cipher suite, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, as available, hence the TLS 1.2 handshake succeeds and the site loads in IE11/Win10! [​IMG]

    However, I don't have answers as to why Chrome 49/WinXP also succeeds, unless, of course, ProxyHTTPProxy is used with it... [​IMG]

    BTW, Chrome 49 does open the site successfully here, Vista SP2 32-bit, but I do have installed WinServer 2008 updates that enable TLS 1.2 support:


    [​IMG]

    Perhaps Chrome 49 has native support for that cipher suite and only uses the Windows Store for certificates, NOT using Schannel like IE does (I'm sorry, my Chrome related knowledge is limited, have only been a Firefox fan from the start!) [​IMG]...

    Cheers [​IMG]
     
    bphlpt, Nov 20, 2019
    #1

Share This Page