44

I'm having trouble accessing HTTPS websites using Netscape Communicator 4.8. This is the error message I get:

Netscape and this server cannot communicate securely because they have no common encryption algorithm(s)

Is there a way I can configure some sort of proxy that will allow me to access HTTPS websites over HTTP? Or any other solution to this problem?

Jaap Joris Vens
  • 1,016
  • 6
  • 18
  • 16
    For the record, this is because all the ciphersuites that these old browsers supported are now considered insecure and disabled by the servers. Visit https://www.ssllabs.com/ssltest/viewMyClient.html to see all its now-insecure ciphers! – Ángel Jan 18 '21 at 23:57
  • 4
    I tried, but I got the same error :( – Jaap Joris Vens Jan 19 '21 at 07:14
  • 3
    For a browser this old, aren’t you also going to have issues with HTML 5? – RBarryYoung Jan 19 '21 at 17:52
  • 2
    Any reason not to use newer browser? – Dan M. Jan 20 '21 at 14:29
  • @DanM. Is there a newer browser worth switching to? https://retrocomputing.stackexchange.com/questions/9345/latest-web-browser-compatible-with-windows-95-98 – Bobson Jan 20 '21 at 21:47
  • 1
    @Bobson K-Melon might be worth a try. Also, Opera 11/12 might do the job for the particular https website. – Dan M. Jan 21 '21 at 13:56
  • 2
    @DanM. This is retrocomputing so asking for a reason why using something retro is kind of moot. – BlackJack Jan 21 '21 at 19:12
  • @BlackJack depends on whether the goal is to access https websites on Win95 or specific old version of the web browser. After all, the self-answer proposes using nginx, which is not really "retro" (at least less retro than all browsers that could be possibly made to run on Win95). – Dan M. Jan 22 '21 at 10:35
  • A comment only because right now it’s just somebody’s goofy fun and therefore may or may not still exist whenever you are reading this: http://frogfind.com is an attempt to provide a search engine and page reinterpretation service that allows modern content to be visited from even ‘80s-era hardware. So it not only pipes HTTPS to plain HTTP but also attempts to rerender content as only very basic HTML. It was a bit hit and miss in my testing, breaking content as often as not, so take as you will, but the underlying tool is Mozilla’s Readability so it may well improve over time. – Tommy Apr 14 '21 at 17:27

3 Answers3

57

Forward proxy

It turned out that configuring my own forward HTTP proxy was actually really simple! Here's how I did it. First, I placed the following nginx configuration file in /etc/nginx/sites-enabled/:

server {
  listen 81;

location / {
    resolver 8.8.8.8;
    proxy_http_version 1.1;
    proxy_pass https://$host$request_uri;
  }
}

Then, on the Window 95 machine, I opened Netscape Communicator and went to Edit -> Preferences -> Advanced -> Proxies -> Manual Proxy Configuration and entered the following information:

servers: HTTP: Address of proxy server to use: 192.168.178.129 Port: 81

(Note that 192.168.178.129 is the IP address of the machine that is running nginx in my case.)

That's it! Netscape Communicator now happily connects to any HTTPS website. As proof, here is a screenshot of this very question, as rendered by this 25 year old web browser:

Screenshot of Netscape Communicator visiting this question

Rewrite links in the document

A problem is that links in the document will still likely point to HTTPS targets and will bypass the proxy. The ngx_http_sub module can be used to rewrite some or most of the links in the document:

proxy_set_header Accept-Encoding "";

sub_filter_once off;
sub_filter_last_modified on;
sub_filter '<a href="https:' '<a href="http:';
sub_filter '<img src="https:' '<img src="http:';


gzip_proxied any;
gzip_http_version 1.0;
gzip_comp_level 7;

The http_sub module will only work on text/html by default, and can not operate on compressed data so compression is disabled by modifying the Accept-Encoding header. Compression can then be turned back on to the client using the gzip_… directives.

The built-in substitution can only do exact strings so it will not catch all links. There is a regex-capable module available for the ambitious.

pipe
  • 1,718
  • 17
  • 20
Jaap Joris Vens
  • 1,016
  • 6
  • 18
  • 2
    I've used Squid in SSL-interception mode to do the same thing, though that was translating web pages from TLS 1.2 to TLS 1.0 for Windows XP. Don't know how much work it would be to get Squid to speak SSL 3. – Mark Jan 18 '21 at 21:33
  • 17
    What a world we live in, where an HTTP proxy is now called a forward HTTP proxy, – JCRM Jan 18 '21 at 22:57
  • 21
    @JCRM The reason has little to do with "what a world we live in", and a lot to do with the fact that (aside from serving HTTP) Nginx is well known and very popular as a reverse proxy (server-side) solution. The fact that Nginx is a versatile solution as a forward proxy (client-side) is less well known, hence the inclusion of the word "forward" to avoid confusion between the two use cases. – Will Jan 19 '21 at 01:19
  • 4
    @Will agreed, but I think your point was what JCRM was expressing wonderment at :) – lahwran Jan 19 '21 at 01:55
  • 1
    It connects to any HTTPS website, but it looks like you get the same "no common encryption algorithm(s)"-error when the browser tries to display the screenshot in your question. Why is it not able to access the image? – Lars Kristensen Jan 19 '21 at 12:13
  • 5
    The image URL contains a hardcoded https. Ideally, the proxy should rewrite these to http. I have no idea whether nginx is capable of that. – Jaap Joris Vens Jan 19 '21 at 12:25
  • 2
    But image requests should go through the proxy as well. I assumed it was because Netscape doesn't support PNG. – user3840170 Jan 19 '21 at 12:45
  • 7
    Netscape Communicator only uses the proxy for HTTP requests. For HTTPS requests it tries to contact the server directly. A SOCKS proxy could solve this problem. – Jaap Joris Vens Jan 19 '21 at 12:53
  • @Will I used to live in a world where we call a HTTP proxy a HTTP proxy (yes, reverse proxies existed in the 90s as well). What an amazing thing that the world we live in now have people calling HTTP proxies "forward HTTP proxy". This hints at several things, all amazing to me: that web development is more popular than IT these days. And that there are more developers than admins these days – slebetman Jan 20 '21 at 06:17
  • 1
    @LarsKristensen It's actually displaying the alt text of the image there. – Alexia Luna Jan 21 '21 at 16:00
  • @hedgie That doesn't make sense. Why is it able to load the website itself through the proxy then, which is also HTTPS? – Alexia Luna Jan 21 '21 at 16:01
  • Look at the URL bar; it's http. This what's sent to the nginx proxy, which in turn makes an https request and sends the response back to Netscape Communicator over http. If you want to try it for yourself, I have made the Windows 95 image available here. – Jaap Joris Vens Jan 21 '21 at 18:50
  • @nyuszika7h I hadn't noticed that was the alt text. That makes more sense, and then the issue is probably just that the Netscape browser doesn't support PNG images. – Lars Kristensen Jan 21 '21 at 19:54
  • @LarsKristensen Netscape supports PNG. If I right-click the broken image and select "Copy image location", paste it into the URL bar and remove the s, Netscape shows the image. It's not showing the original image because the link contains https and then the proxy isn't used. – Jaap Joris Vens Jan 21 '21 at 20:09
  • @hedgie But wasn't the whole point of the proxy to perform the HTTPS requests, and send them back as HTTP? Why doesn't this apply to images, or any other content on the page that was originally served as HTTPS? Edit: I'm not challenging your solution, I'm genuinely curious why it behaves like this :-) – Lars Kristensen Jan 22 '21 at 08:01
  • 2
    @LarsKristensen because, as I explained above, Netscape Communicator only uses the proxy for HTTP urls. These will then get translated to HTTPS requests by the proxy. For HTTPS urls Netscape tries to contact the server directly, which fails. – Jaap Joris Vens Jan 22 '21 at 11:25
  • @hedgie Thanks, it makes sense now, I had misunderstood the solution worked. – Lars Kristensen Jan 22 '21 at 12:10
  • I just implemented this proxy for my Amiga after having lots of problems with SSL/TLS. I'm using sub_filter to rewrite some https links to http in the returned document to avoid the issue, and it seems to work well. Maybe I should update this answer, too much to detail in a comment. – pipe Apr 12 '21 at 22:08
  • That's awesome, thank you very much for improving this solution! – Jaap Joris Vens Apr 14 '21 at 05:22
14

You can use the Web rendereing proxy, displaying modern web pages inside a GIF and imagemap. It works well, though Google Captcha often thinks (rightfully) that it is not a human controlling the web browser and won't let you through.

Alternately (and more useful for other activities than web browsing), you can try VNC connection. Although you probably have to de-configure modern security settings (like encryption) at the server side. Expect problems with entering non-ASCII characters, fancy keyboard layout and scrollwheel.

(this is a modified copy of my answer here: Problem accessing Internet from old phones/PDAs (HTTPS, SSL, certificates, compatible services,....) but that question has been closed).

Radovan Garabík
  • 4,993
  • 1
  • 16
  • 35
  • 2
    What do you mean "rightfully"? What's the difference between you controlling a browser that renders to the screen and you controlling a browser that renders to a gif? – pipe Jan 19 '21 at 03:48
  • 1
    @paulsm4 You want a normal proxy, not a reverse proxy, I would think – JBGreen Jan 19 '21 at 19:54
  • @Radovan Garabík: A proxy like nginx is definitely the preferred solution – paulsm4 Jan 19 '21 at 20:02
  • @pipe Google's reCAPTCHA does a bunch of things (most of which I don't know or understand) to answer the question, "Is this web page loaded in a real web browser or inside a machine-controlled automated environment?" The Web rendering proxy (WRP) is an automated environment that just happens to be (ultimately) controlled by a human but is indistinguishable from an environment controlled by a bot. By clicking the imagemap, you give instructions to the WRP server about how to control the Web page, but as far as the captcha within the page knows, those instructions could be coming from a bot. – apsillers Jan 20 '21 at 13:32
  • @apsillers I know that. So google wrongfully thinks it's not a human. – pipe Jan 21 '21 at 11:43
6

I've used sslstrip for this before.

The program itself works well but some sites were giving me problems:

  1. Some of them redirect you to https:// when clicking a link, so you have to edit the URL sometimes
  2. Some pages made my Netscape 4.0 on Windows 3.1 crash
Arjen
  • 161
  • 2