URBAN0 14 Posted August 1, 2019 Share Posted August 1, 2019 (edited) Hello Guys I can't login into this website via Firefox, It works fine with IE but for unknowing reason at least to me I get blank page https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp Its Governments website that my wife deals with so I made a shortcut that is linked directly to the website and by default I set to use FF. It always worked fine so I know ESET is blocking it somewhere but I have no clue where to look 😀 Any help would be appreciated Edited August 2, 2019 by URBAN0 Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted August 1, 2019 Most Valued Members Share Posted August 1, 2019 At a guess i would say this is more down to issues with the browser. Im the same, it works in ms edge , but fails to load in firefox. Since firefox 67 i have had various issues on websites , so its nothing new Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 1, 2019 Author Share Posted August 1, 2019 (edited) If I disable SSL scanning it works fine. What are my options I would like to use Firefox, Is there anything I can do without imposing security to make it work I don't think disabling SSL scanning is one of the options 😀 Edited August 1, 2019 by URBAN0 Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 1, 2019 Author Share Posted August 1, 2019 (edited) 😶 Edited August 1, 2019 by URBAN0 Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 22 minutes ago, URBAN0 said: If I disable SSL scanning it works fine. Yes. It is an Eset issue. Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues. Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️ Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 1, 2019 Author Share Posted August 1, 2019 3 minutes ago, itman said: Yes. It is an Eset issue. Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues. Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️ Wonderful, ESET to the rescue. Works perfect Thank you so much Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 Just now, URBAN0 said: Wonderful, ESET to the rescue. You mean itman to the rescue. Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted August 1, 2019 Most Valued Members Share Posted August 1, 2019 Hmm the same SSL certificate is present in edge and works perfectly. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted August 1, 2019 Most Valued Members Share Posted August 1, 2019 Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 1, 2019 Author Share Posted August 1, 2019 12 minutes ago, itman said: You mean itman to the rescue. Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection. Yes itman is the man 👌 Thank you my friend Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 1, 2019 Author Share Posted August 1, 2019 6 minutes ago, cyberhash said: Yes it works fine in IE as well Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 (edited) Per the below IE11 certificate chain screen shot, suspect the double root cert. setup is the issue. Firefox might handle this differently than browsers that use the Win root CA certificate store. Edited August 1, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 Below is the cert. chain relationship in FireFox. Believe this is indeed a cert. pinning issue. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 (edited) Someone using Chrome should also test using this web site. Believe there will be pinning issues with it as well. Edited August 1, 2019 by itman Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 194 Posted August 1, 2019 Most Valued Members Share Posted August 1, 2019 As it's a problem that's very limited in the amount of sites that it affects , i am still inclined to believe its an issue that firefox is creating itself. If it was Purely a firefox-Eset certificate issue , then all sites would be affected in firefox. Could be the way that firefox renders code from certain pages. Or the newly introduced "standard" security measures built into the newer builds of firefox. As this part where you should be able to click on the "site information or padlock icon" in firefox should allow you to exclude these sites from the inbuilt security features baked into the browser .......... and it's not present(faulty). This is probably the 3rd site that i have seen with the same issue, from the pile of websites that i frequently visit. Id personally just use another browser for a single website , rather than going and temporarily disabling ssl or creating any sort of exclusions just to have it work in firefox. But that's down to personal preference. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 1, 2019 Share Posted August 1, 2019 The issue in this instance is not the fact that Eset SSL/TLS protocol scanning prevented a legitimate gov. web site from rendering in a browser although that is a concern. The primary issue is that Eset failed to display the proper alert as to why the communication was being blocked. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,259 Posted August 1, 2019 Administrators Share Posted August 1, 2019 Reported to developers. It could be that the website works in a way that doesn't comply with RFC standards. We'll see what they will say about it. Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 2, 2019 Share Posted August 2, 2019 (edited) The reason the connection to this web site and others like it will failed is shown in the below ssllabs.com analysis screen shot. Note that the web site can employ two certificate pinning validation methods. Path 2 is specifically for detecting man-in-the-middle interception which of course what Eset is performing. It also appears that FireFox supports the Path 2 validation method whereas neither IE11 or Edge do. Edited August 2, 2019 by itman Link to comment Share on other sites More sharing options...
ESET Staff Posolsvetla 15 Posted August 2, 2019 ESET Staff Share Posted August 2, 2019 We cannot fix this issue on our side, it's a server side bug. I suggest to contact the web page administrator and to use a different browser than Firefox until they fix it. If they want some technical details, they can send me a PM here on this forum with such request. The easiest fix I would suggest to them is to upgrade their server (or update its configuration), the support of cipher suites as they have now is pretty bad...https://www.ssllabs.com/ssltest/analyze.html?d=www.one-key.gov.on.ca Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 2, 2019 Author Share Posted August 2, 2019 (edited) This is the only side so far that I found this issue and my wife doesn't use it on daily bases so no big deal I don't mind using IE works fine I love my ESET Internet Security, its breath of fresh air compare to any other security software, its so light. This is great forum, thanks everyone Edited August 2, 2019 by URBAN0 Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 2, 2019 Share Posted August 2, 2019 (edited) Technically speaking, the web site was downgraded by ssllabs.com because it doesn't support Forward Secrecy: Quote Penalty for not using forward secrecy (B) Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers. SSL Labs will start penalizing servers that don’t support forward secrecy; Grade will be capped to B. We will not penalize sites that use suites without forward secrecy provided they are never negotiated with clients that can do better. https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update Edited August 2, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,746 Posted August 2, 2019 Share Posted August 2, 2019 (edited) Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained. Edited August 2, 2019 by itman Link to comment Share on other sites More sharing options...
URBAN0 14 Posted August 2, 2019 Author Share Posted August 2, 2019 (edited) 45 minutes ago, itman said: Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained. You are truly champ in forum activities 👌 You are indeed very needed member 👍 Thanks itman Edited August 2, 2019 by URBAN0 Link to comment Share on other sites More sharing options...
ESET Staff Posolsvetla 15 Posted August 9, 2019 ESET Staff Share Posted August 9, 2019 It turned out there are more such misbehaving servers, so we had to implement a workaround on our side. It will be delivered by the automatic module updates, expected time is within 2 weeks. Link to comment Share on other sites More sharing options...
Recommended Posts