"Bert" wrote

| Has anyone successfully updated their Win XP PCs with the latest MS
update?
| This update was made available but not part of the standard update
process.
|
| MS still supports the Point Of Sale and kiosks etc with security updates.
| So I believe that this update can be used on any Win XP PC.
|
| KB4316682
|

How did you find out about that? I just discovered it
a few days ago.

If you have IE8 you can run this update. It's simple.
No special steps. I installed it but then removed it
after I remembered why I don't use IE8: It makes OE6
crash. But other than that it seemed fine. Once done
you'll get options for TLS 1.1 and 1.2 in Advanced
settings. There were some Registry settings specced
but as far as I could see the update took care of all that.

Presumably you're not actually using IE8 online. But
this update may still be worth it if you don't use OE.
It's a 2018 version of IE8, with security updates so that
POS machines can be stable despite not being eligible
for IE9-11.
Why would you update if you don't use IE? Because
many of the Windows networking APIs are actually just
IE functions. A lot of software uses those functions,
which come from urlmon.dll or wininet.dll.

But there's also another issue: You can get the update
but XP doesn't have the certs. I also just found out how
to update the certs:

https://msfn.org/board/topic/175170-...or-windows-xp/

Arcane, but not too involved. You download the two
updates and unpack them. I used my own SFX CAB
extractor but the page says WinRAR might work. Once
you have them unpacked to 2 folders, use the other
links to download updated versions of the SST files.
Having done that, run the two INF files to complete
the update of certs to the latest version.

Another update you might want is winhttp.
KB4019276. Winhttp is used by a lot of programmers.
Wininet has historically been used by people who
didn't really know what they were doing but wanted
to do something like download a webpage through their
software. The methods are just IE wrapper functions.
People who did know what they were doing would use
winsock. But that's complicated. At some point MS
saw the problem and came out with a 3rd option:
winhttp.dll. Winhttp mimics the wininet functions but
does them cleanly, with no IE dependency.

To update winhttp you'll want these Registry
settings on XP:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.1\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\WPA\PosReady]
"Installed"=dword:00000001

Also run the update:

http://download.windowsupdate.com/c/...5e1240ce3d.exe

Win7 can also get this update. (WinXP/Vista/7 do
not have native TLS1.2 support.) Win7 can get it in
wininet by installing IE11. This is the fix for winhttp:

Win7-64-bit:

http://www.download.windowsupdate.co...8e52a0dec0.msu

Win7-32-bit:

http://www.download.windowsupdate.co...74a0654f18.msu

I'm providing the direct links because MS have become obnoxious
about their updates, trying to force people to enable script so they
can snoop on you.

This is a lot of info. Feel free to post back if you don't
figure it all out. The gist of it is that TLS1.2 has become
standard. Each version of online encryption (SSL, TLS1,
TLS1.1) has gradually been cracked and a more secure
version needed. So it's not a critical issue, but it's nice to
get it updated.

Anyone who cares about such security won't be using
IE, anyway, but as I explained above, any software that's
going online may be using the wininet or winhttp functions
and if they want to use secure https they'll need these
updates.