Browser unable to access web site or security issues

If a patron indicates that they cannot access a web site or that they are getting some weird messages, the first thing to do is determine if their browser and the web site are compatible.

ALWAYS Test the TLS certificate

To Do This:

  • Go to the web site ssllabs.com/ssltest and run a test of the ticketing URL to see what is reported. Enter the URL and make sure keep the results private by not showing them on the boards.

  • Review the results as below. At this time, make sure that:
    • the site gets at least an 'A' score
    • there are no unexplainable comments
    • only TLS 1.2 and later is supported with SHA 256
    • and that the users browser is in the list of acceptable/current browsers. Anything older, will not connect

Review the results of the TLS Certificate Test

The ENTIRE document tells us something about what browsers the web site will support and how they will support those browsers. The key parts are described as follows.

Overall Score

The overall Score is near the top and may have a message or two. This looks like the image below.

Configuration Protocols

Review the protocols supported. This will change from time to time and only get stronger. As of Sept 2016, the PCI council and the browser makers (Google, Safari, Firefox, etc) are all pushing TLS. The minimum current safe browsing standards are TLS 1.1 or TLS 1.2. Anything lower means your web site is vulnerable to some web attack. TM Server is designed to only allow TLS 1.2 at this time - because of PCI.

Please ensure that only TLS 1.2 is enabled.

Review the browsers supported

A little further down the report is a complete list of many different browsers. The list includes many older ones and all the current versions and tells you:

  • Which browsers cannot connect. eg IE 6, 7, 8, 10 & Safari on OSX 10.8.x and earlier cannot use the web site - simply because the browsers do not support the minimum secure protocol as recommended by PCI.
  • For those browsers that connect, it tells you with protocol and (TLS 1.2) and level of encryption (RSA 2048/SHA 256) with ECDHE (Elliptic Curve Diffie-Hellman Exchange) protocol for negotiating the key exchange between the web site and browser (very secure).

Microsoft IE 11 unable to access Web Site

If you or some of your patrons are unable to connect to a web site supporting the latest security with IE 11 on windows 7 or later, there is an easy fix, as documented in the Microsoft Technote 2851628

 

In general, IE 11 cannot distinguish the various security methods automatically like other browsers and need to be told to ignore SSL 2.0:
  • Microsoft indicates this is an issue if both SSL 2.0 and TLS 1.2 are enabled as security options in IE 11
  • The solution, they say, is to disable SSL 2.0 (which is normally disabled by default and is no longer supported by any commerce web site

If your customers ask, this may be their problem.