EasyList & EasyPrivacy - can't update (from "standard" check-boxes) on Windows XP

[BilBg]

Read first: https://github.com/gorhill/uBlock/blob/master/CONTRIBUTING.md

Describe the issue

Since the links for EasyList & EasyPrivacy were changed to easylist.to they do not update from "standard" check-boxes, i.e. when using easylist.to
(they (the lists) are also one month old (28 Aug 2016) in the packages (crx zip xpi) for uBlock Origin 1.9.10)

One or more specific URLs where the issue occurs

https://easylist.to/easylist/easylist.txt
https://easylist.to/easylist/easyprivacy.txt
https://easylist.to/

Steps for anyone to reproduce the issue

1. Use browser based on Chromium 48 or less
2. Open in new tab:
   https://easylist.to/easylist/easylist.txt

It gives:
Error code: ERR_SSL_VERSION_OR_CIPHER_MISMATCH

• (and/or) To confirm no extension interferes - open the same link in incognito window Ctrl+Shift+N - the same ERR_SSL_VERSION_OR_CIPHER_MISMATCH
• (and/or) (in uBlock₀ — Dashboard) Check the "standard" check-boxes for EasyList & EasyPrivacy and try to [ Update now ] - they will remain "orange"

Your settings

• Browser/version: Chromium 48, 40, 35
  (IronPortable 48, IronPortable 35, FlashPeak Slimjet Portable 3.1.6.0 (based on Chromium 40.0.2214.93))
• uBlock Origin version: 1.9.10
• Windows XP

Your filter lists

N/A - issue is: unable to open/fetch/update from:
https://easylist.to/

All other https lists (e.g. Peter Lowe, 4x "Malware" lists) update OK, including other lists/mirrors which contain EasyList / EasyPrivacy:
Fanboy+Easylist-Merged Ultimate List
https://www.fanboy.co.nz/r/fanboy-ultimate.txt

Custom:
https://easylist-downloads.adblockplus.org/easylist.txt
https://easylist-downloads.adblockplus.org/easyprivacy.txt
https://secure.fanboy.co.nz/easyprivacy+easylist.txt

P.S.
This "issue" is not problem for me as I now use the above mirrors which cover these two lists 3x times. uBlock₀ — Dashboard shows now:
Fanboy’s Enhanced Tracking List: 0 used out of 1,020
Fanboy’s Annoyance List: 1 used out of 24,387
Fanboy+Easylist-Merged Ultimate List: 105,053 used out of 105,137

Custom (3)
EasyList : 0 used out of 67,721
EasyPrivacy : 0 used out of 12,015
EasyPrivacy+EasyList : 5 used out of 79,736

(links for these "Custom (3)" are posted above)

But this "issue" may be a problem for "casual users" of older Chromium based browsers.

[gorhill]

The issue is with Windows XP -- the filter lists were moved to a server which uses an encrypted connection not handled by Windows XP.

Workaround is to import EasyList/EasyPrivacy as custom filter lists from the old (Adblock Plus) server:

• https://easylist-downloads.adblockplus.org/easylist.txt
• https://easylist-downloads.adblockplus.org/easyprivacy.txt

[BilBg]

Or you may consider adding some code to uBlock Origin to deal with additional reserve/backup/alternative/mirror homeURLs?
And in filter-lists.json :

"easylist-downloads.adblockplus.org/easylist.txt": {
    "title": "EasyList",
    "group": "ads",
    "homeURL": "https://easylist.to/easylist/easylist.txt",
    "homeURL1": "https://easylist-downloads.adblockplus.org/easylist.txt",
    "homeURL2": "https://secure.fanboy.co.nz/easylist.txt",
    "supportURL": "https://forums.lanik.us/"
},

(Some people which just say "It stopped working" on chrome.google.com maybe using Windows XP as me?)

[gorhill]

It's not a trivial code change, quite the opposite.

At most I could maybe change the current URLs to https://secure.fanboy.co.nz/easylist.txt and https://secure.fanboy.co.nz/easyprivacy.txt if you say these work. Also, just updating regularly the mirrored versions on GitHub should work.

[BilBg]

Also will be good to update all the lists included in uBlock Origin packages ("assets" directory) to current versions.
From my first post:
(they (the lists) are also one month old (28 Aug 2016) in the packages (crx zip xpi) for uBlock Origin 1.9.10)

[gorhill]

Also will be good to update all the lists included in uBlock Origin packages

Yes, I just did -- so this should allow Windows XP users to get the latest EasyList/EasyPrivacy, uBO falls back onto the GitHub repo in case the mirrored filter lists can't be downloaded from their home server for whatever reasons. If I update these 3rd-party filter lists once a week, this will probably take care of the issue here.

[BilBg]

OK, they now updated from "standard" check-boxes (low "used" count because I have other mirrors enabled)
EasyList: 6 used out of 67,727
EasyPrivacy: 9 used out of 12,019

[lewisje]

Another workaround is to switch to Firefox, which is also a good idea because Mozilla is still supporting Windows XP (the last version to support XP will be ESR 52); relevant to this Issue, Firefox uses its own TLS implementation (NSS) rather than relying on the same TLS stack as the operating system (Schannel in Windows), so Firefox on XP can still support newer ciphers. Below is more detail.

---

I've tested easylist.to here: https://www.digicert.com/help/

I have found that it supports TLS 1.0-1.2 with the following ciphers:

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

I have also checked easylist-downloads.adblockplus.org, which also supports TLS 1.0-1.2:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_SEED_CBC_SHA
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

This is the cipher list for secure.fanboy.co.nz, which supports TLS 1.0-1.2:

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

ECDHE and AES do not exist in Microsoft's TLS implementation for Windows XP: https://github.com/client9/sslassert/wiki/IE-Supported-Cipher-Suites

[BilBg]

(I have Firefox for years but use very rarely - don't like the slow scroll ("smooth scroll" is Off I think - if that Setting was in Firefox and not in Opera 12.16), I don't intend to "switch to Firefox")

For Slimjet Portable 3.1.6.0 (Chromium 40) from:
https://www.howsmyssl.com/

The cipher suites your client said it supports, in the order it sent them, are:

TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_RSA_WITH_RC4_128_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_DSS_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_RC4_128_MD5

While on (I have no problem to view and use that site, it is OK):
https://secure.fanboy.co.nz/
the browser reports (with "free speech" but how to copy text from that popup?) it uses the first:
TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Here on github.com browser reports using the second:
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

So your link is maybe only IE related.

[ghost]

You wont have such issues popping up if you're willing to ditch XP for good and get Windows 7.

[Hrxn]

Second that above. I seriously, seriously advise against using Windows XP..

[BilBg]

I'm not "willing to ditch XP", I don't have "such issues" (they are not "issues" for me)
In fact the system is multiboot but I'm not prepared to "ditch XP" as I have 100s of programs (mostly small tools) set the way I want. And I like the old driver model which is more "close to the metal".
(system is 3 core CPU, 3 GB DDR2, AMD Radeon HD 6570 1 GB DDR3, motherboard from 2006 - if you now say "buy another" then send me money, I'm on money-- )

And this is not politics thread (use another browser, use another OS (especially the OS!))

If some site owner/admin decides to ban maybe 20% of computers using Windows XP by supporting only a few newest cipher suites (despite many others are still considered strong enough and are in newest browsers) - it's not bothering me, it should bother the site owner.
And in this case why the simple http is not allowed?? This list is not bank info.

[BilBg]

I just checked - IronPortable 35 supports the exact same cipher suites as Slimjet Portable 3.1.6.0 (Chromium 40) which I posted above.

[gorhill]

I will set a weekly reminder for myself to update the filter lists. For now that is the chosen solution, as it involves no code change, just launching a script to update the 3rd-party resources. Now that uAssets is split from the main project, the commits related to the 3rd-party assets won't pollute the commits related to uBO's code changes -- this used to be an issue for me, but no longer one with the uAssets spin-off.

[lewisje]

Some of the "small tools" the OP uses may also be old, or one-off tools, or so grounded in low-level Win32 programming that they even run in Windows 2000 or NT4.0; such tools also tend to still work in Windows Vista and later.

Anyway, I almost forgot, when Firefox drops support, the Pale Moon fork might still be releasing Atom builds; they're optimized for Intel Atom netbook processors, but they run fine in Windows XP on other processors.

Also, the reason for not supporting HTTP is concern that the lists may have been altered in transit: HTTPS provides protection from both eavesdropping on and tampering of communications. With the rise of free (but technical-ability required) Let's Encrypt certificates, a large number of sites that were HTTP-only because of cost concerns will first support, then prefer, and finally require HTTPS.

[Atavic]

Yes, Palemoon has an Atom/XP optimized build.

[BilBg]

If they're not issues, why bother posting here then ?

They're not issues for Me (clear from the first post), "bother posting" for the sake of some 500 000 people (10% of uBlock Origin users)
https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0
... since nobody "bother posting" here for a few months (I posted ~this 2 times in chrome.google.com/webstore/ but this remained unnoticed)

I'm "with computers" since ~1982 (IBM-360, Apple ][+), was using MSDOS actively till ~2005 and still have Windows 98 (by XOSL can boot also to Windows 2000, but most importantly to MSDOS 5.0 + NDOS 7.0 + Stacker) for old games.
(You didn't want or need that "info" - well, I didn't need your posts either)

and I'm running Windows 10

Now THAT is the OS to be banned (and not talking about how ugly it is, I can't stand looking at this "flatness" on posted screenshots - looking like garbage paper)
Windows 10 is "the best" trojan horse, that's why "they" are pushing it so violently.
22% share is because inexperienced users (>90%) don't know how to stop Zillion number of ways it is pushed to them:
http://blog.ultimateoutsider.com/2015/08/using-gwx-stopper-to-permanently-remove.html

and then you will have no choice

I don't care if some program just updates for the sake of updating. E.g. I'm still on µTorrent 1.7.7 (01.02.2008) - low CPU usage 1-2%, nice "tight" GUI, still works - so why "update"... (that is not question, no need to answer)
(µTorrent v3.x 10-15% CPU usage - tested on similar computer with less # of torrent files, need to tweak 5-6 places to stop ads/Annoyances, "sparse" GUI maybe for "mobile", the only advantage - UDP)

Best programmers write small clever programs and don't ban old OSes just for the sake of it, e.g.:
http://www.nirsoft.net/

I like that there are No more updates to Windows XP (any update have potential to "break" OS instead of fixing it), I hate Facebook and mobile devices.
So? You may continue to uselessly convince me to "move to the future", I stated my point. Will not respond.
(you are obviously very young and I'm not)

(I use HTTPS Everywhere but that have nothing to do with the "issues" here)

You're only delaying the inevitable

Death is inevitable.
Now just wondering ..... do I delay it for some time ... or, since it is "inevitable", just face it now ,,, hmm

(sorry, gorhill, for this useless bla-bla, no more from me, I'm off to listen some songs by Krisia Todorova)
.

[gorhill]

The issue is solved as far as I am concerned, I will update the 3rd-party lists weekly (I set a reminder for this) -- which is something good regardless of the issue here. Further discussions about whether one should use Windows XP or not is really not relevant to this issue tracker.

[BilBg]

Just to report what Firefox supports (running on Windows XP if that matters):
https://www.howsmyssl.com/

Firefox 41.0.2
The cipher suites your client said it supports, in the order it sent them, are:

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

It connects OK to https://easylist.to/ using the first TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
If they decide to support also the second TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 the site will be accessible also by Chromium based browsers on Windows XP

https://forums.lanik.us/ is also inaccessible by Chromium on Windows XP but they allow http (I don't have account there to report this and try to convince them to support more cipher suites)
lanik.us support the same cipher suites list as easylist.to (maybe they have the same owner/admin)
(used link https://www.digicert.com/help/ posted by lewisje)

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

[gorhill]

With 3b9fd49, update should work (uBO will fallback to use one of the alternative URLs should the primary one fail).

[BilBg]

Yes, it updates from the second link in uBlock0.chromium\assets\assets.json
info from Logger:

11:32:35 xhr https://easylist-downloads.adblockplus.org/easylist.txt
11:32:34 xhr https://easylist.to/easylist/easylist.txt

If you wish you may add yet another link (maybe as No 3) for EasyList and EasyPrivacy
(I suspect "easylist-downloads" may vanish in the future):
https://secure.fanboy.co.nz/easylist.txt
https://secure.fanboy.co.nz/easyprivacy.txt