Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

TLS apocalypse is upon us in Mac OS 9 land.

alex_free

alex_free

macrumors 65816
Original poster
Feb 24, 2020
1,129
2,392
TLS apocalypse is upon us in Mac OS 9 land.

Something I realized the other day, why not just remove TLS/SSL enforcement entirely?

TLS/SSL is how websites encrypt data, and the reason older browsers such as Netscape and Classilla can not connect to most websites nowadays is because they only support old encryption standards. For example, Classilla supports only up to TLS 1.0 (A 2003 standard).

Something I think many people may not know is (at least I didn’t know till the other day), SSL/TLS prevents connections via the client. What this means is, all websites can actually be connected to via HTTP only, without any TLS/SSL. The web browser code can either give the option of http (most command line browsers allow this), or more likely, present an error saying no secured connection can be obtained (like almost all other web browsers do). The other day I was using http://wikipedia.com via a command line web browser, which does not enforce SSL/TLS. If you don’t have the TLS security requirement necessary, then most command line web browsers still allow you to access the website via HTTP.

I have no idea how trivial this would be to implement, but what if Classilla’s source was modified and recompiled to change one aspect. On a SSL/TLS connection that is above TLS 1.0, just drop back to http without an error.

Command line web browsers are able to do this, but of course they use their own web rendering engines and libraries. I do think this is possible in other engines, but I have been unable to even compile Classilla as is. No offense to the author, but the building documentation is confusing and hard to understand. If anyone has built Classilla, let me know how you made sense of that document.

If your wondering why someone doesn’t implement newer TLS versions (Classilla is 3 versions behind), it’s because it would be very hard to backport something like this to OS 9. I think this is the best solution, and I’d like to hear anyone’s thoughts on this proposal. I’ve successfully gotten TLS 1.3 support via OpenSSL 1.1.1f (v1.1.1 first introduced TLS1.3 support, shoutout to the OpenSSL devs for keeping their program so portable!) & up to date certs on my 2 apps which support Mac OS X 10.3.9-10.6.8, but AFAIK I’m the only person to do so on Panther. The TenFourFox dev just recently got TLS 1.3 support into TenFourFox.

Of course I could be wrong, but from my understanding if SSL/TLS enforcement was removed this would work.
 
Last edited:
  • Like
Reactions: Macbookprodude
wicknix said:
You may be interested in roytam's work. He has Classilla/Phoenix partially updated with TLS 1.2.
msfn.org

My Browser Builds (Part 2)

msfn.org
Possible to rebuild it for os9? I don't know, but the code is there.

Cheers
Click to expand...

Ive heard about this! The TLS 1.2 supporting library for Mac OS 9 built using that retro68k toolchain (which I really need to get but can’t bring myself to have my Mac mini compile the Mac Ports gcc for 2 days).

I think that for the foreseeable future removing the TLS requirement is the ideal option however. Realistically, how many versions of TLS will be backported to OS 9? TLS 1.3 is a 2018 standard, and still isn’t available on OS 9 in any way. I say screw it, just allow http connections if the protocol isn’t supported.

I’ll check out your link, thanks for contributing to the discussion.
 
  • Like
Reactions: wicknix
alex_free said:
but can’t bring myself to have my Mac mini compile the Mac Ports gcc for 2 days
Click to expand...

I have had luck speeding up builds using distributed compilation on my PowerPCs via Xcode’s distcc and on PowerPC Linux using distcc directly - see How To: https://askubuntu.com/questions/107008/how-to-speed-up-compilation-of-ubuntu-apps-make-cmake-gcc

In my cocoa app builds I’ve had 3x Dual G5s network compiling for my PowerBook G4 which speeds up what would be something like a 20 minute build into just a minute or two.
 
  • Like
Reactions: G4fanboy and z970
A lot of sites will always redirect you to the TLS version regardless of what your browser wants. You can try this yourself with netcat by making plaintext connections over port 80 to websites and manually sending HTTP GET requests so you can watch the answers. A good portion of them will send you a 301 redirect to the TLS site. A server using HTTP Strict Transport Security will also not allow you to make plaintext HTTP connections.
 
  • Like
Reactions: AphoticD and alex_free
556fmjoe said:
A lot of sites will always redirect you to the TLS version regardless of what your browser wants. You can try this yourself with netcat by making plaintext connections over port 80 to websites and manually sending HTTP GET requests so you can watch the answers. A good portion of them will send you a 301 redirect to the TLS site. A server using HTTP Strict Transport Security will also not allow you to make plaintext HTTP connections.
Click to expand...

Thanks, I figured it wasn’t so simple. Seems Wikipedia is an exception.
 
alex_free said:
Thanks, I figured it wasn’t so simple. Seems Wikipedia is an exception.
Click to expand...

Actually Wikipedia does always give you the TLS version because it has HSTS enabled. My guess is that your command line browser was just silently redirected to TLS anyway.
 
556fmjoe said:
A lot of sites will always redirect you to the TLS version regardless of what your browser wants. You can try this yourself with netcat by making plaintext connections over port 80 to websites and manually sending HTTP GET requests so you can watch the answers. A good portion of them will send you a 301 redirect to the TLS site. A server using HTTP Strict Transport Security will also not allow you to make plaintext HTTP connections.
Click to expand...

I can confirm this behavior. In every site I’ve built professionally in the past 19 years where an SSL cert had been purchased, a hard coded 301 redirect to https:// was enforced.

I’ve never had a client buy an SSL cert and then ask me to allow http:// connections on request to allow non-secure access for older (ancient) browsers.

For most sites, it would be very easy to provide both http:// and https:// connections. It just isn’t common practice unless backward compatibility is more important than securing of private [submitted] data.
 
  • Like
Reactions: alex_free
556fmjoe said:
Actually Wikipedia does always give you the TLS version because it has HSTS enabled. My guess is that your command line browser was just silently redirected to TLS anyway.
Click to expand...

The command line web browser had no certificates enabled at the time. I was compiling links2 and had no certificates added yet. Links2 also prompts you on certificate errors by default to ignore them and continue anyways. I can post screenshots of http://wikipedia.org connected and working .
 
alex_free said:
TLS apocalypse is upon us in Mac OS 9 land.

Something I realized the other day, why not just remove TLS/SSL enforcement entirely?

TLS/SSL is how websites encrypt data, and the reason older browsers such as Netscape and Classilla can not connect to most websites nowadays is because they only support old encryption standards. For example, Classilla supports only up to TLS 1.0 (A 2003 standard).

Something I think many people may not know is (at least I didn’t know till the other day), SSL/TLS prevents connections via the client. What this means is, all websites can actually be connected to via HTTP only, without any TLS/SSL. The web browser code can either give the option of http (most command line browsers allow this), or more likely, present an error saying no secured connection can be obtained (like almost all other web browsers do). The other day I was using http://wikipedia.com via a command line web browser, which does not enforce SSL/TLS. If you don’t have the TLS security requirement necessary, then most command line web browsers still allow you to access the website via HTTP.

I have no idea how trivial this would be to implement, but what if Classilla’s source was modified and recompiled to change one aspect. On a SSL/TLS connection that is above TLS 1.0, just drop back to http without an error.

Command line web browsers are able to do this, but of course they use their own web rendering engines and libraries. I do think this is possible in other engines, but I have been unable to even compile Classilla as is. No offense to the author, but the building documentation is confusing and hard to understand. If anyone has built Classilla, let me know how you made sense of that document.

If your wondering why someone doesn’t implement newer TLS versions (Classilla is 3 versions behind), it’s because it would be very hard to backport something like this to OS 9. I think this is the best solution, and I’d like to hear anyone’s thoughts on this proposal. I’ve successfully gotten TLS 1.3 support via OpenSSL 1.1.1f (v1.1.1 first introduced TLS1.3 support, shoutout to the OpenSSL devs for keeping their program so portable!) & up to date certs on my 2 apps which support Mac OS X 10.3.9-10.6.8, but AFAIK I’m the only person to do so on Panther. The TenFourFox dev just recently got TLS 1.3 support into TenFourFox.

Of course I could be wrong, but from my understanding if SSL/TLS enforcement was removed this would work.
Click to expand...

YEA YES, please do this ! I still have OS 9 and want to browse the web again - https should only be for sensitive info that is sensitive in nature, Wikipedia is not, cnn is not. Etc.
[automerge]1587752464[/automerge]
alex_free said:
Ive heard about this! The TLS 1.2 supporting library for Mac OS 9 built using that retro68k toolchain (which I really need to get but can’t bring myself to have my Mac mini compile the Mac Ports gcc for 2 days).

I think that for the foreseeable future removing the TLS requirement is the ideal option however. Realistically, how many versions of TLS will be backported to OS 9? TLS 1.3 is a 2018 standard, and still isn’t available on OS 9 in any way. I say screw it, just allow http connections if the protocol isn’t supported.

I’ll check out your link, thanks for contributing to the discussion.
Click to expand...

NO !! TLS 1.3 needs to be added to use OS 9 for normal web browsing, but for banking and CC Sites - need security for those.
 
Last edited:
This conversation is intriguing! TLS support on Mac OS 9 would be super neat. But, as an inexperienced programmer, I do have one question though...

Does Mac OS 9 not have SSL/TLS support built into something like Open Transport? I figured that would make sense, because what would Sherlock 2 have used then, but I haven't found any documentation saying that it's true.
 
HilbertIdeals5 said:
This conversation is intriguing! TLS support on Mac OS 9 would be super neat. But, as an inexperienced programmer, I do have one question though...

Does Mac OS 9 not have SSL/TLS support built into something like Open Transport? I figured that would make sense, because what would Sherlock 2 have used then, but I haven't found any documentation saying that it's true.
Click to expand...
If open transport provides any SSL it is a very ancient version essentially useless to the modern web. Pretty sure it pre dates TLS as well. External libraries need to be compiled that provide modern TLS/SSL for programs to be linked against.
 
alex_free said:
If open transport provides any SSL it is a very ancient version essentially useless to the modern web. Pretty sure it pre dates TLS as well. External libraries need to be compiled that provide modern TLS/SSL for programs to be linked against.
Click to expand...
Yeah, if any SSL/TLS was built in, it would probably be TLS 1.0 max. What I was thinking was that maybe said TLS libraries could be implemented as an extension, since I had read that Open Transport is extendable with additional protocols. That way, older applications might be able to connect securely (they'd probably still be useless because rendering, but it would make a good demonstration), and getting TLS 1.3 wouldn't require it to be bundled with every single program.
 
alex_free said:
If open transport provides any SSL it is a very ancient version essentially useless to the modern web. Pretty sure it pre dates TLS as well. External libraries need to be compiled that provide modern TLS/SSL for programs to be linked against.
Click to expand...
Well, Kaiser stated Crypto Ancienne.
 
Macbookprodude said:
I think there are ways around this. Crypto Ancienne anyone ?
Click to expand...
I think that's a good idea in itself, but I much prefer native modern libraries which come with all the good security advancements. There is a TLS 1.2 capable library for Mac OS 9 but it just has not been used in popular projects.

If that was modded to work with classilla (with updated certificates), almost every website would at least load as of 2021...
 
alex_free said:
I think that's a good idea in itself, but I much prefer native modern libraries which come with all the good security advancements. There is a TLS 1.2 capable library for Mac OS 9 but it just has not been used in popular projects.
Click to expand...
The question is can this be implemented and installed ? Where in OS 9 would this be installed, I am speaking about the TLS 1.2 capable library.
 
  • Like
Reactions: alex_free
Macbookprodude said:
The question is can this be implemented and installed ? Where in OS 9 would this be installed, I am speaking about the TLS 1.2 capable library.
Click to expand...
I really can not remember if this was implemented on Mac OS 9 even as a proof of concept, @wicknix do you remember if this that you linked me over a year ago was implemented on Mac OS 9?

My theory anyways, if it was not implemented on Mac OS 9, it should actually be pretty straightforward if my assumptions are correct about how it works. If it is a total 100% C89 implementation of TLS 1.2, it should compile with just a few changes if any. The stated use cases are already very similar, ancient windows vs ancient mac os and if no speciality windows code enables this TLS 1.2 functionallity and it's just a straight up C89 library then things could really happen with this.
 
I asked here, and I learned that every program probably came with its own SSL/TLS implementation, so I guess extending OpenTransport wouldn't be very helpful. That crosses out that option, I guess.
 
I tried this and it did not work.. plus I think you need a separate machine to act as server and use Classila to log into it.
 
wicknix said:
No idea. Sorry. I don't have anything old enough to run os9 (other than the hacked os9lives version for the macmini that is super buggy). I don't even emulate it. Not a fan of anything older than 10.4 (and i don't even like 10.4 either). 10.5 - 10.7 is my happy place. ;)

Cheers
Click to expand...
Sure you do, I can donate a titanium to you if you want ?
 
best option is likely the squid rewriter here:

forums.macrumors.com

Fixing HTTPS issues on old versions of OS X

I originally posted about this in the Mavericks section, where it never belonged, because it also works on 10.6–10.8. Here's a new thread for our fancy section! If you're currently running an old version of OS X, and it's connected to the internet, you probably already have this line somewhere...
forums.macrumors.com forums.macrumors.com

(running on another system, obviously)
 
  • Like
Reactions: wicknix
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back