Nope, not fixed at all Bruce. I imagine that Rogers long, long list of other things to fix (Navigatr, MyRogers issues, GCL and Shomi issues, and modem issues) is making this a low priority issue. What galls me though is the fact that this issue seems to have occurred right around the time that Rogers placed restrictions on how long voicemail will be stored. We were advised to log into our voicemail account to download any messages we wished to save. How can you do that when you keep getting the message SSL server probably obsolete? While yes, I can still access using IE, I am still unable to listen to any of my voicemail there due to the problem that was reported here:
As QuickTime is still the embedded player in IE11, it is impossible to listen to your messages!
Shame on rogers for leaving this hanging. Bad enough that they don't try to fix the issue after so many years, but not even taking the time to address the forum after user plea's for an update. Makes one want to go to a competitor.
I am glad to finally see a moderator pitch in and confirm that someone is actually listening to our concerns and understands our frustration. I can imagine the trustration for yourselves that there is really nothing you can tell us.
This is another clear example that unlike what the representative of OOP said to me that Rogers is committed to be a leader in the field and to be on top of standards as they change, as I pointed out to him with example after example where this is just not true, and that this is not just my opinion, it is the opinion of many very skilled people in the field of programming and system design, testing, and implementation, disaster recovery, and rolllback, He never even responded when I said, how can one say that Rogers is committed to be leaders, when the examples are current examples of how the company doesn't take current standards seriously as demonstrated by the large numbers of poorly implemented designs, or absolute latency in meeting standards that have been clearly articulated in the field for years, and in some cases decades.
I was met by total silence, he would not even answer my concerns, other than to say he will pass them to the back office, and got frustrated by me when I refused to give permission to reset my profile password when I was describing an issue that is widespread and not relevant to the profile, but to the browser coding, which I can clearly point out to a back office person if they could log into my computer and I could point out the exact coding issues and the website references to the standards, and so forth. But in its wisdom, Rogers has chosen to not give backoffice technical staff the ability to log into our computer, yet front line tech staff can, asking for the ability to see our profile and change our password. With al the current problems with profiles, the last thing I would be willing to do is change my password, in particular when the issue has nothing to do with my profile. Only by logging in and working together can the back office tech person fully understand the configurarion on my computer, and to fully understand the problem.
This has been standard troubleshooting practice in the industry for decades, back to programs like PCanywhere and Microsoft Remote and so many others.
So I thank you for the acknowdgelment of our concerns, and that you will keep us up to date, but it still provides us nothing to help us, nor does it improve our feeling that Rogers implementation, testing, and standards work has become shoddy and that our knowledgeable feedback is not attended to.
How about a tech expert forum where they address what is holding them back on all these issues.
No, it does not work on either Google Chrome or Firefox. What is particularly frustrating is that this issue started right around the time Rogers announced restrictions on saving your voicemail and that if you want to keep your voicemail, you would have to download them. How can you download them when you cannot even get into the site? Even more frustrating is how long it takes Rogers to fix anything. Months go by with no fix and Rogers cannot even give you an update! At the very least, Rogers could at least rescind their policy of deleting your voicemail until a fix is forthcoming but even that does not seem to be in the cards.
RogersHassam - thank you for your update and apologies. My primary concern with this issue is that the reality that the compatability of the voicemail sitee and the use of tls 1.0 (first introduced in 1987)
and the cipher RC4.
I have brought to attention what is happening to Counter Path, the company that advertises RON as one of their exemplary, market case studies, and they have acknowledge my concern and are going to discuss it with their teams.
Although you may be able to currently access the voice mail website, what you may not be aware of, and your technical teams are not addressing is the following reality. Note the announcement dates on the critical dates. Only Microsoft has temporarily allowed IE to still permit this obsolete cipher with all TLS, but not that as early as 2013, the industry at large made the recommendation that customers disable RC4 and as early as Feb 2015, the industry as a whole mandated the disabling of this protocl completely (Chrome and Mozilla both responded, by removing it in September, and Microsoft committed to a slightly longer date, which is approaching quickly. I am sure if your technical teams contact Microsoft, they can probably get a date, and I have no date given the 2013 recommendations, they will say "do it now".
So I know your response is limited to what you told me - acknowledge my frustration - you can acknowlege your own too, and that there is no communication available to clarify what is happening. This is a decision from way above you, you are just the messenger.
It is this general, overall position of Rogers to acknowledge customer concerns about technology implementation, that we are well educated and completely confused as to how any company could get themselves in a position of having so many technical changes that they are behind on.
Having said all that, that is just a repeat of my frustrations, which I know you have no answer to other than the one you just gave, but I thought I would give you the official announcements on the industry wide decisions about these protocols.
I am sure that there are staff who are aware of these issues, but the fact that most of these announcements were made months and up to years, suggests to me that although suppliers and teams may be working with these, it is certainly not in a timely manner. (my opinion only, but do read the following from Microsoft and the Industry Engineering Standards
Today, Microsoft is announcing the end-of-support of the RC4 cipher in Microsoft Edge and Internet Explorer 11. (note the timing of the end of support )Starting in early 2016, the RC4 cipher will be disabled by-default and will not be used during TLS fallback negotiations.
There is consensus across the industry that RC4 is no longer cryptographically secure. Our announcement aligns with today’s announcements from Google andMozilla, who are ending support for RC4 in Chrome and Firefox.
What is RC4?
RC4 is a stream cipher that was first described in 1987, and has been widely supported across web browsers and online services. Modern attacks have demonstrated that RC4 can be broken within hours or days. The typical attacks on RC4 exploit biases in the RC4 keystream to recover repeatedly encrypted plaintexts. In February 2015, these new attacks prompted the Internet Engineering Task Force to prohibit the use of RC4 with TLS
From this link: Note the following:
Prohibiting RC4 Cipher Suites
Abstract This document requires that Transport Layer Security (TLS) clients and servers never negotiate the use of RC4 cipher suites when they establish connections. This applies to all TLS versions. This document updates RFCs 5246, 4346, and 2246. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 5741. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at http://www.rfc-editor.org/info/rfc7465.
So if your technical staff, and external companies are
Microsoft Edge and Internet Explorer 11 only utilize RC4 during a fallback from TLS 1.2 or 1.1 to TLS 1.0. A fallback to TLS 1.0 with RC4 is most often the result of an innocent error, but this is indistinguishable from a man-in-the-middle attack. For this reason, RC4 will be entirely disabled by default for all Microsoft Edge and Internet Explorer users on Windows 7, Windows 8.1 and Windows 10 starting in early 2016.
How can I prepare?
We expect that most users will not notice this change. The percentage of insecure web services that support only RC4 is known to be small and shrinking.
If your web service relies on RC4, you will need to take action. Since 2013, Microsoft has recommended that customers enable TLS 1.2 in their services and remove support for RC4. For additional details, please see Security Advisory 2868725.
– Alec Oot, Program Manager, Customer Experience
UPDATED SEPTEMBER 1, 2015 2:22 PM
I personally need no further response on this, except to announce it and the other protocol issues like NPAPI have been dealt with and implemented.
Thanks you for your detailed analysis Bruce. You have hit the nail on the head - Rogers is not keeping up - simple as that! However, not one person at Rogers has ever addressed the issue of rescinding the policy of not being able to save your voicemail - especially when you can no longer access the voicemail site to save it yourself!
Update on RC4 elimination - turns out in some cases Mozilla browsers will still rollback to a different protocol to allow RC4, but the protocols and certificates being used by don't run on the voice mail site.
But the drop dead dates are out there and have been since September 3, 2015
From Infoworld tech watch, September 3, 2015
Mozilla will lead the way with Firefox 44, scheduled for release on Jan. 26, 2016. RC4-free versions of Chrome, Internet Explorer 11, and Microsoft Edge will be available by the end of February 2016. Apple did not respond to queries regarding its plans for Safari, nor did Opera Software.
It would appear that something in the TLS and RC4 ciphers used by Rogers on this site are being blocked by Chrome and Firefox - maybe they decided to pull the plug early while dealing with NPAPI.
So looks like end of February is the drop dead date - hope Rogers is moving on this. Changing protocols for this issue is well documented for all Microsoft servers and clients since 2013. So the technical resources are there, hopefullly work is in progress, and if they can't meet that date, then please stop deleting messages until you have done this.
p.s. just read another item off a google search - there is a known attack involving TLS 1.0 and means that the server protocol usage is known to be a security risk. It is known that Chrome and Mozilla is blocking some SSL certificates, while Microsoft is letting some of these through.
Mozilla and Chrome tend to lead the field in security issues and blocking them for the safety of all. As said in one of the articles, "telling users to try another browser is an absolutely unacceptable solution, and the solution is to deal with the issue once it is known".
Using alternative browsers should only be temporary solution. Anything else could be considered irrisponsible or neglegant under software and security engineering standards, and engineers who do not act upon these issues in a timely way are putting their careers at risk, as to ignore these standards is placing the whole Internet at risk. That is why there are standards.
But what more can I say, it appears that Rogers does not respect the security and safety of its own systems, let alone their users and the whole Internet when it doesn't act in a timely and responsible manner.
Just my opinion, but the reality is that if they don't respond soon, these apps and sites will be shut out by the browsers.
Once again, you have hit the nail on the head. As a customer that is paying for home phone services from Rogers and where on-line voicemail is one of the features that we have selected for our home phone, we want a permanent fix or a credit issued on our account for a service (that we pay for) that is not being received. Nothing that I have heard from Rogers so far on this issue is acceptable, nor is the temporary fix of having to use an inferior browser like IE11. When you couple this issue with the many other issues (actually more than a couple) like Navigatr, one can only be extremely disappointed with Rogers.