Jump to content

Archived

This topic is now archived and is closed to further replies.

Recommended Posts

 

 

 

Hello Guys

I can't login into  this website via Firefox, It works fine with IE but for unknowing reason  at least to me I get blank page

https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp

Its Governments website that my wife deals with so I made  a shortcut that is  linked directly to the website and  by default I set  to use FF.

It always worked fine so I know ESET is blocking it somewhere but I have no clue where to look 😀

Any help would be appreciated

 

 

Untitled.png

Share this post


Link to post
Share on other sites

At a guess i would say this is more down to issues with the browser. Im the same, it works in ms edge , but fails to load in firefox.

Since firefox 67 i have had various issues on websites , so its nothing new :(

Share this post


Link to post
Share on other sites

If I disable SSL scanning it works fine.

What are my options I would like to use Firefox, Is there anything I can do without imposing security to make it work I don't think disabling SSL scanning is one of the options 😀 

Share this post


Link to post
Share on other sites
22 minutes ago, URBAN0 said:

If I disable SSL scanning it works fine.

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

Share this post


Link to post
Share on other sites
3 minutes ago, itman said:

Yes. It is an Eset issue.

Add this IP address, 204.41.16.53, to Excluded IP addresses in the Eset Protocol Filtering section. You should now be able to connect to the site in FireFox w/o issues.

Looks like we found another Eset SSL/TLS protocol filtering bug ...........☹️

Wonderful, ESET to the rescue.

Works perfect

Thank you so much

Share this post


Link to post
Share on other sites
Just now, URBAN0 said:

Wonderful, ESET to the rescue.

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

Share this post


Link to post
Share on other sites

Hmm the same SSL certificate is present in edge and works perfectly.

Share this post


Link to post
Share on other sites
12 minutes ago, itman said:

You mean itman to the rescue.

Eset needs to definitely check this one out since everything about the cert. setup looks OK as evidenced by Firefox allowing the connection.

Yes itman is the man 👌

Thank you my friend

Share this post


Link to post
Share on other sites
6 minutes ago, cyberhash said:

site.jpg

Yes it works fine in IE as well

Share this post


Link to post
Share on other sites

Per the below IE11 certificate chain screen shot, suspect the double root cert. setup is the issue. Firefox might handle this differently than browsers that use the Win root CA certificate store.

Eset_Cert.png.7baebbec81366fc168b03c46689a0ebc.png

Share this post


Link to post
Share on other sites

Below is the cert. chain relationship in FireFox. Believe this is indeed a cert. pinning issue.

Eset_Cert_2.thumb.png.588c179c0efe62e5c674b9695f67c13e.png

Share this post


Link to post
Share on other sites

Someone using Chrome should also test using this web site. Believe there will be pinning issues with it as well.

Share this post


Link to post
Share on other sites

As it's a problem that's very limited in the amount of sites that it affects , i am still inclined to believe its an issue that firefox is creating itself. If it was Purely a firefox-Eset certificate issue , then all sites would be affected in firefox.

Could be the way that firefox renders code from certain pages. Or the newly introduced "standard" security measures built into the newer builds of firefox. As this part where you should be able to click on the "site information or padlock icon" in firefox should allow you to exclude these sites from the inbuilt security features baked into the browser .......... and it's not present(faulty).

This is probably the 3rd site that i have seen with the same issue, from the pile of websites that i frequently visit.

Id personally just use another browser for a single website , rather than going and temporarily disabling ssl or creating any sort of exclusions just to have it work in firefox. But that's down to personal preference.
 

Share this post


Link to post
Share on other sites

The issue in this instance is not the fact that Eset SSL/TLS protocol scanning prevented a legitimate gov. web site from rendering in a browser although that is a concern. The primary issue is that Eset failed to display the proper alert as to why the communication was being blocked.

Share this post


Link to post
Share on other sites

Reported to developers. It could be that the website works in a way that doesn't comply with RFC standards. We'll see what they will say about it.

Share this post


Link to post
Share on other sites

The reason the connection to this web site and others like it will failed is shown in the below ssllabs.com analysis screen shot. Note that the web site can employ two certificate pinning validation methods. Path 2 is specifically for detecting man-in-the-middle interception which of course what Eset is performing. It also appears that FireFox supports the Path 2 validation method whereas neither IE11 or Edge do. 

Eset_FF.thumb.png.a0768690459748dd249514f35feac728.png

Share this post


Link to post
Share on other sites

We cannot fix this issue on our side, it's a server side bug.
I suggest to contact the web page administrator and to use a different browser than Firefox until they fix it.
If they want some technical details, they can send me a PM here on this forum with such request.
The easiest fix I would suggest to them is to upgrade their server (or update its configuration), the support of cipher suites as they have now is pretty bad...
https://www.ssllabs.com/ssltest/analyze.html?d=www.one-key.gov.on.ca

Share this post


Link to post
Share on other sites

This is the only side so far that I found this  issue and my wife doesn't use it on daily bases  so no big deal    I don't mind using IE works fine

 

I love my ESET Internet Security, its breath of fresh air compare to any other security software, its so light.

 

This is great forum, thanks everyone

 

Share this post


Link to post
Share on other sites

Technically speaking, the web site was downgraded by ssllabs.com because it doesn't support Forward Secrecy:

Quote

Penalty for not using forward secrecy (B)

Forward secrecy (FS) also known as perfect forward secrecy (PFS), is a property of secure communication protocols in which compromises of long-term keys does not compromise past session keys. Forward secrecy protects past sessions against future compromises of private key. The very popular RSA key exchange doesn’t provide forward secrecy. You need to support and prefer ECDHE suites in order to enable forward secrecy with modern web browsers.

SSL Labs will start penalizing servers that don’t support forward secrecy; Grade will be capped to B. We will not penalize sites that use suites without forward secrecy provided they are never negotiated with clients that can do better.

https://blog.qualys.com/ssllabs/2018/02/02/forward-secrecy-authenticated-encryption-and-robot-grading-update

Share this post


Link to post
Share on other sites
45 minutes ago, itman said:

Also as noted by another SSL checker web site: https://www.sslshopper.com/ssl-checker.html#hostname=https://www.one-key.gov.on.ca/iaalogin/IAALogin.jsp , there is nothing wrong with the way certificates are being chained.

You are truly champ in forum activities 👌

You are indeed very needed member 👍

Thanks itman

Share this post


Link to post
Share on other sites

It turned out there are more such misbehaving servers, so we had to implement a workaround on our side.
It will be delivered by the automatic module updates, expected time is within 2 weeks.

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...