Why Can't My Users Access HTTPS Pages on my Site?


In the last couple of years, there have been some significant attacks on the SSL protocol that you will probably have come across in the news - POODLE, HEARTBLEED etc.

Those were attacks on some of the older versions of the SSL protocol that resulted in the determination that it was unsafe to communicate using those.

In order to comply with PCI compliancy regulation, many server companies have already disabled support for those older versions of the SSL protocol, and I expect many others will be following suit in the coming months.

Unfortunately, what that means is that users who are using browsers that ONLY support the older SSL protocols would not be able to access https pages on sites, as any communication they made between the browser and the server would be unsafe, for both their data, and data contained on the server.

The first thing to do will be to get the user to ensure they are using an up-to-date browser.

The minimum browser requirements as outlined by the server and SSL companies are as follows:

Apple Safari for Mac - Version 7.9+  / OSX 10.9 or higher
Windows Internet Explorer 11
Firefox version 27 or higher
Android Mobile version 5 or higher
Google Chrome version 30 or higher

They will also want to ensure that they have all the latest updates and patches applied for their browser too.

The check whether or not their current browser is compatible with the new protocols, you can also run a scan at Qualys SSL Labs - that will outline the SSL protocol support for the browser, and determine any vulnerabilities that may exist.

While we stress that using an up-to-date browser is the best method of achieving this security, it is also possible to manually disable the older versions of the SSL protocols, by following the instructions here - Turn Off Older SSL Protocols in your Browser

Again, unfortunately this is something that we have no control over from a coding point of view - it's 100% down to the security of the communication of data from the browser to the server. and in order to protect customer data, and ensure the sites and servers are as secure as they can possibly be, those older protocols had to be disabled.