I now know why I'm having trouble getting on the Escapees website. The “executive summary” is that the version of the Safari browser I’m using is not designed to support the encryption standards supported by the Escapees web server.
If anyone’s interested in the gory details continue reading.
I’m the sort of person that likes to understand the root cause of a problem rather than just bypass it somehow and get on with things. So I spent some time troubleshooting and understanding why I’m having this problem getting my Safari browser to connect to the Escapees website.
Starting with “first principles”:
The ONLY website I am having a problem with is Escapees.
Escapees has recently “overhauled” their website.
Before this overhaul I had no problems getting on the Escapees website.
Ergo, some change to the website left it incompatible with OSX/Safari. This actually was the right conclusion - but, what exactly was it that changed to caused the incompatibility, what is it about the Safari browser I’m using that is incompatible with this single website, and why are some others on this forum reporting that they are still able to use OSX/Safari without problems? Another member of the forum reported privately to me that she is using the same versions of OSX and Safari I’m using and has the same problem I'm having. This gave me some confidence that it wasn’t just some software or hardware “defect” with my particular system.
I discovered that the new website redirects all connections to be secure (i.e., https, encrypted). Prior to the overhaul I always communicated with the website using http. I've since learned that quite a few websites are now doing this (e.g., Wikipedia)
Use of https involves the use of “certificates” and certificates are known to cause problems if they aren’t properly dated, installed, approved, validated, etc.
So I spent quite a bit of time researching if my computer might have a problem with the certificate used by the website. This led to a discussion on the Apple Support Community forum where Linc had me try several experiments and possible fixes. The good news was I learned some new things about my computer and networking – the bad news is we were unable to solve the problem. In the end he advised I either upgrade my OS and Safari or use Firefox in place of Safari. He concluded that my version of Safari could not support this website and I can’t upgrade Safari unless I first update my OS to the latest version. I’m reluctant to upgrade my OS because there are still quite a few folks complaining about problems with the newest OS and I’d rather not do the upgrade and then find out I’ve fixed this problem in exchange for a few new ones.
At this point I was still thinking it had something to do with the certificates. I found a way to determine what company issued/signed the Escapees certificate and also look at the content of the certificate. There are several companies that provide this service – the Escapees certificate was provided by “Go Daddy”. I called the 24/7 support line at Go Daddy and explained the problem I was having. The help-line tech tried to get onto the Escapees website and had no problem. Then he tried it with his own personal Mac computer (rather than the company's computer) and experienced the same exact problem I was having. He then tried it on a co-worker’s non-company-owned computer and again had the same problem. He was quite surprised but had no explanation other than there might be some problem with the way the certificate was installed or configured on the host server. He said this is a problem that would have to be addressed by the Escapees' server administration techs.
I felt like I’d gone full circle and aside from learning a few things hadn’t made any progress in actually understanding or resolving the problem.
Earlier the Escapees website administrator reported: The problem is that in order to meet PCI compliance, the computer the store runs on cannot allow connections by SSL or TLS 1.0. PCI is an internet standard and the change appears to be fairly recent because we have not had this problem in the past.
Browsers that connect by using SSL or TLS 1.0 will be rejected. This has affected mostly Safari users but any browser not configured to connect using TLS 1.1 or 1.2 will not be able to connect.
Due to having to be PCI compliant, there is no workaround. The end user must be using a browser that is compatible. It is not a problem we can "fix" on our end other than moving the store to another computer. Even then the store computer would still have to be PCI compliant.
While I didn’t doubt what he was saying it just seemed extremely unlikely that my bank, credit card companies, brokerage, and the several other websites I frequent wouldn’t have also made this change, and rendered my browser incompatible. If indeed the PCI DSS (Payment Card Industry Data Security Standard) was mandating this why wouldn't ANY of these other companies have made the change. PCI makes these mandates to avoid known security issues and I assumed those other companies would be at least as interested in providing the latest in security as is the Escapees store – those big companies each have an "army" of IT folks and they have a lot more to lose!
I decided to try to understand more about PCI and the relevant encryption standards. That’s a science in itself. Here’s a very brief summary of what I “think I know”. “In the beginning” secure internet communications used a protocol/technique called “SSL” (Secure Sockets Layer). It is a standard way of encrypting the communication messages between the user’s computer (client) and the website's computer (server). The techniques used involve data “keys” - sort of like a pseudo random number that is used by an algorithm to convert open data messages into encrypted data messages. As computers became more powerful, and the security threats evolved, SSL was forced to evolve to make these encrypted messages more difficult to “crack”. The original SSL has evolved to TLS (Transport Layer Security) over time through the following versions: SSL 1.0, SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1, TLS 1.2.
TSL 1.0 was introduced in 1999 and is still widely used on the internet. TLS 1.1 (2006) and 1.2 (2008) came about in response to “man in the middle” and “BEAST” threats. Although these threats and the encryption upgrades to address them have been available for several years, nearly all websites still allow the use of TSL 1.0. Recently PCI has recommended (mandated?) that all new website implementations allow the use of ONLY TSL 1.1 and 1.2 and furthermore they must stop using any version of SSL and TSL 1.0 (and perhaps even TSL 1.1) by June 30, 2016. Since PCI audits of a secure website must meet this requirement after June 30, 2016 I expect that all of those secure websites I use will stop supporting TSL 1.0 sometime over the next year.
I found a software tool that allowed me to test any website to determine which encryption standards it allowed and which ones it does not allow. I found that all the secure websites I use still support TSL 1.0 except for the Escapees website which only supports TSL 1.1 and 1.2. Further research indicated that the version of Safari I’m using supports TSL 1.0 but not TSL 1.1 or TSL 1.2. Newer versions of Safari do support TSL 1.1 and TSL 1.2.
Other folks that are using any one of several popular web browsers that are not the latest version might well run into this same problem. This website has a comprehensive list of browsers vs. encryption standards supported that might be of interest. The table also shows the vulnerability of the those browsers to various threats.
For the time being I’ve downloaded the latest version of Firefox for Mac. It is compatible with the Escapees website so I’ll use it just for that. Before too long I’ll probably update my OS and Safari.