ASP.NET 1.1 Is Broken

Recently I came across the first instance I’ve seen of Microsoft dropping support for its legacy web application technology. ASP.NET 1.1 is now seriously broken. Officially, support for ASP.NET 1.1 ended on October 14, 2008. What I am talking about is a serious technical issue which creates a problem for legacy ASP.NET 1.1 web applications.

By default, the release version of the .NET Framework 1.1 supports only the SSL 3.0 protocol. By default, the Transport Layer Security (TLS) protocol is disabled. Unfortunately, SSL 3.0 became vulnerable to a padding attack, named the POODLE attack (which stands for “Padding Oracle On Downgraded Legacy Encryption”), see this Wikipedia article. Because of that security issue, many APIs are dropping support for SSL 3.0.

I encountered this problem because I still support LaGarde’s Storefront 6.0 which was never converted to ASP.NET 2.0. All Storefront 6.0 web sites still need to run under ASP.NET 1.1. Storefront 6.0 used at least two APIs, from Authorize.Net and UPS, which no longer accept requests over SSL 3.0. Storefront 6.0 was an e-commerce shopping cart and it is now unable to validate credit cards through Authorize.Net or get shipping rates quotes from UPS.

Fortunately, I have developed a really easy fix for this problem. I can force ASP.NET 1.1 to use TLS instead of SSL 3.0 for every request. And this can be done without recompiling the DLLs which Storefront 6.0 uses.

I rarely get any work requests for Storefront 6.0 and frankly nobody should still be using such an old e-commerce shopping cart. There is no official support for Storefront 6.0 and nobody is addressing any security problems that may exist in the code. But if you need to keep your e-commerce site running until you can migrate to something else, then contact me for a solution to the SSL problem.

This entry was posted in ASP.NET, Programming, Web and tagged , , , , , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published.