Blank Page

[URBAN0 14]

 

 

 

Hello Guys

I can't login into  this website via Firefox, It works fine with IE but for unknowing reason  at least to me I get blank page

https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp

Its Governments website that my wife deals with so I made  a shortcut that is  linked directly to the website and  by default I set  to use FF.

It always worked fine so I know ESET is blocking it somewhere but I have no clue where to look 😀

Any help would be appreciated

 

 

Edited August 2, 2019 by URBAN0

[cyberhash 194]

At a guess i would say this is more down to issues with the browser. Im the same, it works in ms edge , but fails to load in firefox.

Since firefox 67 i have had various issues on websites , so its nothing new

[URBAN0 14]

If I disable SSL scanning it works fine.

What are my options I would like to use Firefox, Is there anything I can do without imposing security to make it work I don't think disabling SSL scanning is one of the options 😀 

Edited August 1, 2019 by URBAN0

[URBAN0 14]

😶

Edited August 1, 2019 by URBAN0

[itman 1,717]

22 minutes ago, URBAN0 said:

If I disable SSL scanning it works fine.

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

[URBAN0 14]

3 minutes ago, itman said:

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

Wonderful, ESET to the rescue.

Works perfect

Thank you so much

[itman 1,717]

Just now, URBAN0 said:

Wonderful, ESET to the rescue.

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

[cyberhash 194]

Hmm the same SSL certificate is present in edge and works perfectly.

[cyberhash 194]

[URBAN0 14]

12 minutes ago, itman said:

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

Yes itman is the man 👌

Thank you my friend

[URBAN0 14]

6 minutes ago, cyberhash said:

Yes it works fine in IE as well

[itman 1,717]

Per the below IE11 certificate chain screen shot, suspect the double root cert. setup is the issue. Firefox might handle this differently than browsers that use the Win root CA certificate store.

Edited August 1, 2019 by itman

[itman 1,717]

Below is the cert. chain relationship in FireFox. Believe this is indeed a cert. pinning issue.

[itman 1,717]

Someone using Chrome should also test using this web site. Believe there will be pinning issues with it as well.

Edited August 1, 2019 by itman

[cyberhash 194]

As it's a problem that's very limited in the amount of sites that it affects , i am still inclined to believe its an issue that firefox is creating itself. If it was Purely a firefox-Eset certificate issue , then all sites would be affected in firefox.

Could be the way that firefox renders code from certain pages. Or the newly introduced "standard" security measures built into the newer builds of firefox. As this part where you should be able to click on the "site information or padlock icon" in firefox should allow you to exclude these sites from the inbuilt security features baked into the browser .......... and it's not present(faulty).

This is probably the 3rd site that i have seen with the same issue, from the pile of websites that i frequently visit.

Id personally just use another browser for a single website , rather than going and temporarily disabling ssl or creating any sort of exclusions just to have it work in firefox. But that's down to personal preference.
 

[itman 1,717]

The issue in this instance is not the fact that Eset SSL/TLS protocol scanning prevented a legitimate gov. web site from rendering in a browser although that is a concern. The primary issue is that Eset failed to display the proper alert as to why the communication was being blocked.

[Marcos 5,158]

Reported to developers. It could be that the website works in a way that doesn't comply with RFC standards. We'll see what they will say about it.

[itman 1,717]

The reason the connection to this web site and others like it will failed is shown in the below ssllabs.com analysis screen shot. Note that the web site can employ two certificate pinning validation methods. Path 2 is specifically for detecting man-in-the-middle interception which of course what Eset is performing. It also appears that FireFox supports the Path 2 validation method whereas neither IE11 or Edge do. 

Edited August 2, 2019 by itman

[Posolsvetla 15]

We cannot fix this issue on our side, it's a server side bug.
I suggest to contact the web page administrator and to use a different browser than Firefox until they fix it.
If they want some technical details, they can send me a PM here on this forum with such request.
The easiest fix I would suggest to them is to upgrade their server (or update its configuration), the support of cipher suites as they have now is pretty bad...
https://www.ssllabs.com/ssltest/analyze.html?d=www.one-key.gov.on.ca

[URBAN0 14]

This is the only side so far that I found this  issue and my wife doesn't use it on daily bases  so no big deal    I don't mind using IE works fine

 

I love my ESET Internet Security, its breath of fresh air compare to any other security software, its so light.

 

This is great forum, thanks everyone

 

Edited August 2, 2019 by URBAN0

[itman 1,717]

Technically speaking, the web site was downgraded by ssllabs.com because it doesn't support Forward Secrecy:

Quote

Penalty for not using forward secrecy (B)

Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.

SSL Labs will start penalizing servers that don’t support forward secrecy; Grade will be capped to B. We will not penalize sites that use suites without forward secrecy provided they are never negotiated with clients that can do better.

https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

Edited August 2, 2019 by itman

[itman 1,717]

Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained.

Edited August 2, 2019 by itman

[URBAN0 14]

45 minutes ago, itman said:

Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained.

You are truly champ in forum activities 👌

You are indeed very needed member 👍

Thanks itman

Edited August 2, 2019 by URBAN0

[Posolsvetla 15]

It turned out there are more such misbehaving servers, so we had to implement a workaround on our side.
It will be delivered by the automatic module updates, expected time is within 2 weeks.