ESET SSL on Firefox cant access website

[Dusan 2]

After some more testing, i think its not cert. problem here.

When i disable SSD/TLS, i cant log to website anymore. When i disable Application protocol content filtering, and left SSL/TLS enabled i can log on to website and 2FA is working fine. I left protocol content filtering disabled for a 20 minutes, and i log on to web site every time.

So i think its not problem with cert. anymore. Can you tell me what can i do to exclude protocol filtering on that website?

I tried to add IP address but no success there.

Edited April 3, 2021 by Dusan

[Dusan 2]

1 minute ago, itman said:

I found a YouTube video by CEX that explains the 2FA processing. It certainly looks like a web page to me. And again, I suspect it is using a different cert. than the rest of the cex.io web site.

Also here: https://support.cex.io/en/articles/4383389-two-factor-authentication-2fa-troubleshooting-tips , there is wording about Google Authenticator . Are you using that?

Yes im using Google Authenticator and im using that web site for a few years and didint have a problem until few monts ago.

And, yes its web page.

[itman 1,659]

15 minutes ago, Dusan said:

Can you tell me what can i do to exclude protocol filtering on that website?

Add cex.io domain to List of Allowed Addresses per below screen shot. I am not sure if this totally bypasses SSL/TLS protocol scanning. Ignore my "Notify when applying" and "Logging severity" settings:

[itman 1,659]

23 minutes ago, Dusan said:

Yes im using Google Authenticator

How is this possible in Firefox? It's a Google store app and doesn't exist in FireFox's add-on list.

[itman 1,659]

Also what is the URL shown for the cex.io 2FA web page? If it is not cex.io something, what we are attempting is not going to work.

[Dusan 2]

28 minutes ago, itman said:

Add cex.io domain to List of Allowed Addresses per below screen shot. I am not sure if this totally bypasses SSL/TLS protocol scanning. Ignore my "Notify when applying" and "Logging severity" settings:

I must say, problem with cert. is solved. Now its problem with protocol scanning, im sure. I tried this method and nothing.

21 minutes ago, itman said:

How is this possible in Firefox? It's a Google store app and doesn't exist in FireFox's add-on list.

I use Google Authenticator on my phone to get acceess code to log in.

18 minutes ago, itman said:

Also what is the URL shown for the cex.io 2FA web page? If it is not cex.io something, what we are attempting is not going to work.

Its same address as home page, only subdomain is ../auth/login.

I attach picture with protocol filtering disabled, there you can see address.

[itman 1,659]

33 minutes ago, Dusan said:

Its same address as home page, only subdomain is ../auth/login.

As you can see by the below screen shot, I can access that domain without issue. I obviously can't get to the 2FA web page w/o a valid logon for the site and having 2FA enabled.

On the 2FA web page you posted, check the cert. and verify it matches info listed for cex.io cert. added to Eset List of known certificates. However since the URL is the same as that for logon web page, I would suspect its using the same cert.. It really is starting to look like the 2FA processing is detecting Eset "in the web site examination loop" in some fashion and is blocking further 2FA processing.

BTW - I was able to add cex.io to List of known certificates via URL method w/o issue with SSL/TLS protocol scanning enabled. Perhaps you didn't specify the URL correctly. It must be https://cex.io

[itman 1,659]

2 hours ago, Dusan said:

I tried to add IP address but no success there.

Did you add all the following? Per Robtex: https://www.robtex.com/ lookup:

Quote

The IP numbers are 104.20.33.190, 104.20.34.190, 104.20.147.108 and 104.20.148.108.

 

Edited April 3, 2021 by itman

[Dusan 2]

1 hour ago, itman said:

As you can see by the below screen shot, I can access that domain without issue. I obviously can't get to the 2FA web page w/o a valid logon for the site and having 2FA enabled.

On the 2FA web page you posted, check the cert. and verify it matches info listed for cex.io cert. added to Eset List of known certificates. However since the URL is the same as that for logon web page, I would suspect its using the same cert.. It really is starting to look like the 2FA processing is detecting Eset "in the web site examination loop" in some fashion and is blocking further 2FA processing.

BTW - I was able to add cex.io to List of known certificates via URL method w/o issue with SSL/TLS protocol scanning enabled. Perhaps you didn't specify the URL correctly. It must be https://cex.io

I can also access domain without issue. Only problem is when i enter email and password, and press sign in it just loading and cant get to 2FA. I added one URL, but later i added several options just to cover all URL. You can see in picture that i attach.

52 minutes ago, itman said:

Did you add all the following? Per Robtex: https://www.robtex.com/ lookup:

 

I didnt use Robtex, i find DNS records over other metods but i checked on robtex and its same addresses.

You can check on picture that i attach. But still no success.

[itman 1,659]

Since this thread has gotten way to long, I am going to wrap my comments up with the following.

I believe the issue here is the use of Google Authenticator and how the resultant generated 2FA code is entered on the web page. Why that is Eset will have to check out.

You might consider receiving the 2FA code via cell phone text message and manually entering it on the web page. I have strong suspicions that will work.

[Dusan 2]

13 hours ago, itman said:

Since this thread has gotten way to long, I am going to wrap my comments up with the following.

I believe the issue here is the use of Google Authenticator and how the resultant generated 2FA code is entered on the web page. Why that is Eset will have to check out.

You might consider receiving the 2FA code via cell phone text message and manually entering it on the web page. I have strong suspicions that will work.

Im not sure that issue is Google Authennticator because everything is working fine as soon as i disable protocol scanning on ESET. And also, on computer without ESET i can log into web site without problem from Firefox.

But thank you very much on assistance, i will test once more to see what can be the problem.

[itman 1,659]

A lot of web sites use Google Authenticator: https://www.techrepublic.com/blog/google-in-the-enterprise/use-google-authenticator-to-securely-login-to-non-google-sites/ . This is the first instance in the forum I know of where a user has an issue with it using Eset.

I would contact cex.io tech support and discuss the issues you are having in regards to Eset use and their use of Google Authenticator. Hopefully, they can shed some light on where the problem is.

Edited April 4, 2021 by itman

[Dusan 2]

45 minutes ago, itman said:

A lot of web sites use Google Authenticator: https://www.techrepublic.com/blog/google-in-the-enterprise/use-google-authenticator-to-securely-login-to-non-google-sites/ . This is the first instance in the forum I know of where a user has an issue with it using Eset.

I would contact cex.io tech support and discuss the issues you are having in regards to Eset use and their use of Google Authenticator. Hopefully, they can shed some light on where the problem is.

Ok thank you very much for help.

[itman 1,659]

I have another theory. This one is a bit "far out," but who knows?

You stated when you disabled Eset "Application protocol content filtering," there were no issues with cex.io 2FA processing. The only difference between disabling this setting and disabling SSL/TLS protocol scanning is that disabling Application protocol content filtering also disables Eset IMAPS and POPS e-mail scanning.

I noticed that Google e-mail servers are associated with cex.io. One of them is a verification server.

What may be happening here is that the cex.io 2FA web page processing is initiating either an IMAPS or POPS connection to the Google e-mail servers. For some unknown reason, Eset client e-mail processing is interfering with this and causing the entire 2FA processing to fail.

As a test, temporarily disable Eset e-mail protocol scanning per the below screen shot and see if that allows the 2FA processing to work w/o issue.

 

[Dusan 2]

Ok, i tried but still the same problem. But i tried for a hour every option, to enable/disable to idenrify exact problem.

So with disabled Protocol filtering option, which is cause of the problem i can access web site only like that.

But reading you post i tried to isolate problem even more further. When i leave Protocol filtering enabled, and disable only HTTP Scanner setup, i can access web site. So this function denying access to web site, but im not sure what can i try to exlude or avoid this option.

Just to mention that i tried only to disable HTTPS Scanner setup and leave HTTP Scanner setup enabled but it did not work.

I attach picture to see what option i need to disable to access web site, even when i leave protocol filtering enabled.

Also, i checked web site and its HTTPS protocol, even on 2FA page, so im sure what this option had to to with it.

Edited April 5, 2021 by Dusan

[itman 1,659]

2 hours ago, Dusan said:

When i leave Protocol filtering enabled, and disable only HTTP Scanner setup, i can access web site. So this function denying access to web site, but im not sure what can i try to exlude or avoid this option.

Yes, this makes sense since it was the last available option available we didn't test.

I was observing cex.io/auth/logon connections using TCPView and noted that HTTP connections were being established for 104.20.148.108. However, this was an IP address previously excluded from Eset protocol scanning to no avail.

At this point, your best approach is contacting cex.io tech support and ask why HTTP is being used in the first place in their 2FA processing. That doesn't appear right to me. Then you can explain to them the issues you are having with their 2FA processing when using Eset's protocol scanning protection.

[Dusan 2]

Ok, so we tested all and we found cause of the problem.

Whan can i say, thank you very much for help. I will contact them to try to resolve this.

[itman 1,659]

One final comment.

This cex.io web site uses Clouldfare servers. You stated this 2FA issue you are having just started recently. CloudFlare recently introduced a protection against magacard attackes described here: https://www.bleepingcomputer.com/news/security/cloudflare-page-shield-early-warning-system-for-malicious-scripts/ .  It is possible this web site is using this new feature and it is conflicting with Eset protocol scanning.

Again, you need to contact cex.io about this issue with Eset protocol scanning.

[Dusan 2]

Ok thanks. I just read this and it can be cause of this problem.