Jump to content

Recommended Posts

 

 

 

Hello Guys

I can't login into  this website via Firefox, It works fine with IE but for unknowing reason  at least to me I get blank page

https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp

Its Governments website that my wife deals with so I made  a shortcut that is  linked directly to the website and  by default I set  to use FF.

It always worked fine so I know ESET is blocking it somewhere but I have no clue where to look 😀

Any help would be appreciated

 

 

Untitled.png

Edited by URBAN0
Link to comment
Share on other sites

  • Most Valued Members

At a guess i would say this is more down to issues with the browser. Im the same, it works in ms edge , but fails to load in firefox.

Since firefox 67 i have had various issues on websites , so its nothing new :(

Link to comment
Share on other sites

If I disable SSL scanning it works fine.

What are my options I would like to use Firefox, Is there anything I can do without imposing security to make it work I don't think disabling SSL scanning is one of the options 😀 

Edited by URBAN0
Link to comment
Share on other sites

22 minutes ago, URBAN0 said:

If I disable SSL scanning it works fine.

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

Link to comment
Share on other sites

3 minutes ago, itman said:

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

Wonderful, ESET to the rescue.

Works perfect

Thank you so much

Link to comment
Share on other sites

Just now, URBAN0 said:

Wonderful, ESET to the rescue.

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

Link to comment
Share on other sites

12 minutes ago, itman said:

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

Yes itman is the man 👌

Thank you my friend

Link to comment
Share on other sites

Per the below IE11 certificate chain screen shot, suspect the double root cert. setup is the issue. Firefox might handle this differently than browsers that use the Win root CA certificate store.

Eset_Cert.png.7baebbec81366fc168b03c46689a0ebc.png

Edited by itman
Link to comment
Share on other sites

Someone using Chrome should also test using this web site. Believe there will be pinning issues with it as well.

Edited by itman
Link to comment
Share on other sites

  • Most Valued Members

As it's a problem that's very limited in the amount of sites that it affects , i am still inclined to believe its an issue that firefox is creating itself. If it was Purely a firefox-Eset certificate issue , then all sites would be affected in firefox.

Could be the way that firefox renders code from certain pages. Or the newly introduced "standard" security measures built into the newer builds of firefox. As this part where you should be able to click on the "site information or padlock icon" in firefox should allow you to exclude these sites from the inbuilt security features baked into the browser .......... and it's not present(faulty).

This is probably the 3rd site that i have seen with the same issue, from the pile of websites that i frequently visit.

Id personally just use another browser for a single website , rather than going and temporarily disabling ssl or creating any sort of exclusions just to have it work in firefox. But that's down to personal preference.
 

Link to comment
Share on other sites

The issue in this instance is not the fact that Eset SSL/TLS protocol scanning prevented a legitimate gov. web site from rendering in a browser although that is a concern. The primary issue is that Eset failed to display the proper alert as to why the communication was being blocked.

Link to comment
Share on other sites

  • Administrators

Reported to developers. It could be that the website works in a way that doesn't comply with RFC standards. We'll see what they will say about it.

Link to comment
Share on other sites

The reason the connection to this web site and others like it will failed is shown in the below ssllabs.com analysis screen shot. Note that the web site can employ two certificate pinning validation methods. Path 2 is specifically for detecting man-in-the-middle interception which of course what Eset is performing. It also appears that FireFox supports the Path 2 validation method whereas neither IE11 or Edge do. 

Eset_FF.thumb.png.a0768690459748dd249514f35feac728.png

Edited by itman
Link to comment
Share on other sites

  • ESET Staff

We cannot fix this issue on our side, it's a server side bug.
I suggest to contact the web page administrator and to use a different browser than Firefox until they fix it.
If they want some technical details, they can send me a PM here on this forum with such request.
The easiest fix I would suggest to them is to upgrade their server (or update its configuration), the support of cipher suites as they have now is pretty bad...
https://www.ssllabs.com/ssltest/analyze.html?d=www.one-key.gov.on.ca

Link to comment
Share on other sites

This is the only side so far that I found this  issue and my wife doesn't use it on daily bases  so no big deal    I don't mind using IE works fine

 

I love my ESET Internet Security, its breath of fresh air compare to any other security software, its so light.

 

This is great forum, thanks everyone

 

Edited by URBAN0
Link to comment
Share on other sites

Technically speaking, the web site was downgraded by ssllabs.com because it doesn't support Forward Secrecy:

Quote

Penalty for not using forward secrecy (B)

Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.

SSL Labs will start penalizing servers that don’t support forward secrecy; Grade will be capped to B. We will not penalize sites that use suites without forward secrecy provided they are never negotiated with clients that can do better.

https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

Edited by itman
Link to comment
Share on other sites

45 minutes ago, itman said:

Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained.

You are truly champ in forum activities 👌

You are indeed very needed member 👍

Thanks itman

Edited by URBAN0
Link to comment
Share on other sites

  • ESET Staff

It turned out there are more such misbehaving servers, so we had to implement a workaround on our side.
It will be delivered by the automatic module updates, expected time is within 2 weeks.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...