Page MenuHomePhabricator

Xbox 360 Internet Explorer unable to view Wikipedia
Closed, ResolvedPublic

Description

I've received reports from Microsoft that users are unable to reach Wikipedia in IE on the Xbox 360 console.

They're able to confirm that http://en.Wikipedia.org/ redirects, and that going straight to HTTPS errors out. I suspect the Xbox 360s older OS has compatibility problems with our certs as some old Windows versions do.

Do we need a user agent exception?

Event Timeline

brion created this task.Jul 10 2015, 8:38 AM
brion raised the priority of this task from to Needs Triage.
brion updated the task description. (Show Details)
brion added a subscriber: brion.
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 10 2015, 8:38 AM
BBlack added a subscriber: BBlack.Jul 10 2015, 1:22 PM

We don't do User-Agent exceptions. I'll have to do some digging to figure out what this browser's capabilities are and why it can't connect to us over HTTPS (I don't own one). If it's a question of missing a standard cipher, we may be able to address that. My fear is that the Xbox 360's IE may be equivalent to IE6 on WinXP, which is also broken with us due to only supporting SSLv3 (and thus POODLE).

Finding any technical data on IE-for-XBox-360 is pretty maddeningly difficult in google search results or on microsoft's own site, actually. What little I've been able to gather indicates that it's some variant IE9. In theory that means it shouldn't be subject to the same problems as IE6/XP.

However, I still can't find any hard data on this, or any user reports of the failure either. Can you get whoever sent "reports from Microsoft" to give more technical details or links as to what the HTTPS compatibility issue is here?

brion added a comment.Jul 10 2015, 1:57 PM

OK passed it on and have them the link for this bug report. Hopefully we'll get some more details; worst case we just have to give it up with IE6.

BBlack added a subscriber: mark.Jul 10 2015, 3:24 PM

Ok after some debugging with @mark (who has an xbox 360!), we've found what the incompatibility is. It's the same incompatibility that breaks ancient Java6 with us now: The Xbox360's IE9 supports DHE-based ciphersuites, but is incompatible with DH parameters greater than 1024-bit prime size, and we're using a 2048-bit prime parameter. Unfortunately, to give Forward Secrecy to other clients (and a lot of them are other Microsoft clients), we have to keep those DHE suites high on our preference list.

The best recourse on Microsoft's end of things would be upgrade the TLS library, if possible, to support 2048 (or even greater) -bit DH parameters for DHE ciphers.

Tnegrin set Security to None.Jul 10 2015, 10:05 PM
Tnegrin added a subscriber: Tnegrin.
Chmarkine added a comment.EditedJul 11 2015, 12:04 PM

Ok after some debugging with @mark (who has an xbox 360!), we've found what the incompatibility is. It's the same incompatibility that breaks ancient Java6 with us now: The Xbox360's IE9 supports DHE-based ciphersuites, but is incompatible with DH parameters greater than 1024-bit prime size, and we're using a 2048-bit prime parameter. Unfortunately, to give Forward Secrecy to other clients (and a lot of them are other Microsoft clients), we have to keep those DHE suites high on our preference list.
The best recourse on Microsoft's end of things would be upgrade the TLS library, if possible, to support 2048 (or even greater) -bit DH parameters for DHE ciphers.

Does Xbox 360 support ECDHE? If so, then it's different from the Java 6 case. We now prefer DHE-AEAD over ECDHE-CBC. This means those clients that support both ECDHE and DHE < 1024-bit are broken. So for this, and for performance reasons, I strongly suggest that we rank all DHE cipher suites lower than all ECDHE cipher suites (that is all ECDHE > all DHE > all RSA), whose only drawback is that IE 11 on Windows 7, 8.1 and Windows Phone 8.1 will lack AEAD.

Change 224232 had a related patch set uploaded (by Chmarkine):
Rank all ECDHE > all DHE > all RSA

https://gerrit.wikimedia.org/r/224232

BBlack added a subscriber: faidon.Jul 11 2015, 7:58 PM

Does Xbox 360 support ECDHE?

I don't think it did, but I've lost the chatlog that had the info on the client's cipher list. @faidon might still have it on his screen somewhere. But, IIRC, it was a very very short list (something like 4-5 cipher options total, including ancient stuff), and I don't think it had ECDHE.

So for this, and for performance reasons, I strongly suggest that we rank all DHE cipher suites lower than all ECDHE cipher suites (that is all ECDHE > all DHE > all RSA), whose only drawback is that IE 11 on Windows 7, 8.1 and Windows Phone 8.1 will lack AEAD.

I think the performance reason will mostly go away once the ECDSA key is deployed. Most of the statistically-significant DHE load right now is from IE11, which should flip to ECDHE-ECDSA at that point. But I still think I like the patch overall once we're past that, if it restores functionality to some otherwise-broken clients with ECDHE + <1024-DHE (possibly, at least old Java6).

Does Xbox 360 support ECDHE?

I don't think it did, but I've lost the chatlog that had the info on the client's cipher list. @faidon might still have it on his screen somewhere. But, IIRC, it was a very very short list (something like 4-5 cipher options total, including ancient stuff), and I don't think it had ECDHE.

It was:
TLS_RSA_WITH_AES_128_CBC_SHA (0x002f)
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x0033)
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0x000a)
TLS_RSA_WITH_RC4_128_SHA (0x0005)
TLS_RSA_WITH_RC4_128_MD5 (0x0004)
…in this order. The negotiation at the time resulted in TLS_DHE_RSA_WITH_AES_128_CBC_SHA being picked.

faidon triaged this task as Normal priority.Jul 12 2015, 1:21 AM
faidon edited projects, added acl*sre-team; removed Patch-For-Review.

Change 224232 merged by BBlack:
Rank all ECDHE > all DHE for "mid" level suites

https://gerrit.wikimedia.org/r/224232

brion added a comment.Jul 13 2015, 4:26 PM

Ok, MS contacts are telling me they are in fact working on an increase in bit length for the DHE which should resolve this on their end, but it will be a few weeks before the update goes out.

BBlack edited projects, added Traffic; removed HTTPS-by-default.Aug 7 2015, 4:07 PM
Dzahn added a subscriber: Dzahn.Aug 20 2015, 1:14 AM

Did Microsoft make a change yet?

I think the target was September...

Did Microsoft fix this issue yet?

brion added a comment.Oct 1 2015, 8:13 PM

Haven't heard anything from them, but when I get home this weekend I'll dust off my 360 and see if there's a relevant system update yet.

Are there any updates now?

Dzahn moved this task from Backlog to Blocked on External on the HTTPS board.Dec 3 2015, 7:23 PM
Dzahn added a comment.Dec 3 2015, 7:28 PM

friendly bump

Anyone have one to test on?

I have an xbox 360, I will be near one on the weekend then I will have to search for where I put it. :).

Testing using the developer tools on internet explorer I set the user agent string to xbox 360 internet explorer and Wikipedia loads fine for me in there.

@Paladox did you test it with an actual xbox 360? Or did you just spoof the UA on a Windows system?

@Paladox did you test it with an actual xbox 360? Or did you just spoof the UA on a Windows system?

I spoof on windows system. since in the f12 tools it had the xbox 360 user agent.

This kind of testing needs the real thing unfortunately. The UA string doesn't have much impact here.

Dzahn added a comment.Sep 16 2016, 1:10 AM

15:54 < mutante> anyone own an xbox 360 here? we'd still like a confirmation if Wikipedia can be viewed from that browser
16:00 < MaxSem> mutante, firing up the one in the office
16:01 < mutante> "They're able to confirm that http://en.Wikipedia.org/ redirects, and that going straight to HTTPS errors out."
16:01 < mutante> we are hoping that has been fixed meanwhile
16:34 < MaxSem> mutante, it works. thanks to bearloga for helping

Dzahn closed this task as Resolved.Sep 16 2016, 1:10 AM
Dzahn claimed this task.