Closed Bug 307525 Opened 19 years ago Closed 10 years ago

nwolb.com/natwest.com - NatWest Online blocks non-Firefox Gecko browsers (including beta/nightly Firefox aka Minefield)

Categories

(Web Compatibility :: Site Reports, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: u63580, Assigned: u63580)

References

()

Details

(Keywords: ecommerce, top50, Whiteboard: [BANKING] [DENY])

The recent update to NatWest online banking blocks nightlies and FF1.5beta1rc,
despite claiming to support "Firefox 1.0 and above".  Attempting to log in using
1.5beta1rc gives the message:

"The Internet browser you are using is not supported by OnLine Banking. Please
use a recent version of Internet Explorer, Netscape, Mozilla, Firefox, Safari or
AOL (PC Only)."

I have been in e-mail contact with NatWest, and am pursuing the problem.  I will
assign the bug myself, and will report back any progress.  Please let me know
what the Mac/Linux status of this is, so I can pass on problems to the bank.

Bug 66911 was about previous problems with NatWest.  However, this is a new
issue after they have altered their site, which was previously okay with
nightlies (up to late August 2005).  So I haven't reopened the previous bug -
they do now seem to be a little more willing to be helpful!
Summary: NatWest Online banking (www.nwolb.com) blocks FF 1.5beta and nightlies → nwolb.com - NatWest Online banking blocks FF 1.5beta and nightlies
Update: NatWest have now changed their message slightly.  It now says (for PC):

Microsoft® Internet Explorer
version 5 and 6
or
Netscape™ Navigator™
version 7.1 and up
or
Mozilla 1.5 and up
or
AOL 8.0 and up (AOL subscribers only)
or
Firefox 1.0

Note that the earlier "1.0 and above" for FF is now firmly just 1.0 (but Mozilla
is 1.5 and above).  Not good, but at least no longer misleading.

Had a response from the bank.  Key paragraph:

"As the Mozilla Firefox 1.5 is a beta version NatWest OnLine Banking will not
support it as it has not gone live as the final version, once the final
version has been released and has met the OnLine Banking requirements we
will then add it to our list of supported browsers."

So the good news is this should be sorted, but the bad is that only when 1.5 is
released.  So if there is anything wrong, it will only be obvious at that point.
 Will leave bug open pending the release of 1.5.
(In reply to comment #2)

cool. Can you switch your user agent string to Firefox 1.0.6 and test if the
site works ok without any regressions in Firefox 1.5?
(In reply to comment #3)
> (In reply to comment #2)
> 
> cool. Can you switch your user agent string to Firefox 1.0.6 and test if the
> site works ok without any regressions in Firefox 1.5?

I've tried that from about:config.  No joy - I still can't get in, but can from
a "genuine" copy of 1.0.6.
How far do you get before you see the blocked message? I can get to the login
page using the ua switcher in my siderbar <http://bclary.com/2004/06/06/sidebars>. 
Severity: normal → major
Keywords: top50
Hardware: PC → All
*** Bug 308243 has been marked as a duplicate of this bug. ***
Aleting the version of FF in the user agent to 1.0.6 gets me nowhere - I can't
get to the login page.  So they must use the whole UA sting, I guess.
(In reply to comment #7)

If you wouldn't mind installing the ua sidebar, it will switch the entire ua
string along with the navigator.platform, navigator.appName and
navigator.appVersion which defeats most ua sniffers. It would help to know if
there are any problems in the upcoming Firefox 1.5 before we release ;-)
(In reply to comment #8)
> If you wouldn't mind installing the ua sidebar, it will switch the entire ua
> string along with the navigator.platform, navigator.appName and
> navigator.appVersion which defeats most ua sniffers. It would help to know if
> there are any problems in the upcoming Firefox 1.5 before we release ;-)

Sorry for the delay.  Have used this as requested - all seems fine.  I get in,
and everything seems to work.  So the only problem is getting access without
spoofing the UA.
In order to spoof yourself as Firefox you need to change both the Gecko release
version and the browser version.

This transforms the following UA:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8b5) Gecko/20050927 Firefox/1.4

into the following UA:

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20050927 Firefox/1.0

The NatWest site's sniffer is checking both tokens; changing both of them fools
it into letting me in.

Should [BANKING] [DENY] be added to the whiteboard, as was done with bug 66911?
(In reply to comment #10)
> 
> Should [BANKING] [DENY] be added to the whiteboard, as was done with bug 66911?

Done.

What do we do when 1.5 is released, assuming NatWest are happy to allow access?
 The nightlies will still be blocked, on an ongoing basis.  So leave this one
open, or open a new bug specific to nightlies?
Whiteboard: [BANKING] [DENY]
(In reply to comment #11)

If they intentionally block nightlies, there is not much we can do about it. I
would say document it here for others to notice.
*** Bug 311902 has been marked as a duplicate of this bug. ***
I've emailed them back regarding what they intend to do after the 1.5 release and whether they'll change their policy regarding allowing non-official builds but so far no reply. If and when I do, I'll post what they say here.
From what I got from them, I think they are only going to allow in official builds. 
*** Bug 315058 has been marked as a duplicate of this bug. ***
*** Bug 316105 has been marked as a duplicate of this bug. ***
It worked with Mozilla nightlies before.  But now it's changed its name back to SeaMonkey, it's shutting it out.

While it may take them a while to learn HTML and therefore get the site working universally, the least they can do is stop sniffing once they get past the "Gecko" bit of the UA string.
Summary: nwolb.com - NatWest Online banking blocks FF 1.5beta and nightlies → nwolb.com - NatWest Online banking blocks nearly every browser on the planet, including FF 1.5beta and nightlies and the so-rebranded SeaMonkey
Summary: nwolb.com - NatWest Online banking blocks nearly every browser on the planet, including FF 1.5beta and nightlies and the so-rebranded SeaMonkey → nwolb.com - NatWest Online blocks FF 1.5beta, RCs and nightlies, and also SeaMonkey
Stewart, my point with putting "nightlies" was that it was any nightlies, not purely FF.  I've altered the summary to reflect the fact this isn't only a problem for FF, but also SeaMonkey.  

From what I've had from NatWest, I think the problem they have with browsers not on their list is security, not display (they currently still deny any copy of Opera, AFAIK, for this reason).  I've pointed out to them that their idea of "security" is rather restrictive (new versions of FF/Mozilla/anything else) are likely to be more, not less, secure.  However, they stick to the very short list they've decided on.  
Good news!  I can get in with the build I'm using today:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051121 Firefox/1.5

Are things working in the rc?
Seeing this as working in the RCs.

Closing
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
How can seeing it working in RCs confirm that they've got it working in the nightlies?
Comment #20 sees it working in the nightlies
Comment #21 sees it working in the RCs

Natwest changed their code, it works.
Damn, 'tis back again!  All seemed fine with the branch nightlies for 1.5, with the release candidates, etc.  But we're back to "locked out" with 1.6a1 nightlies.  Updating summary (again) to reflect this.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Summary: nwolb.com - NatWest Online blocks FF 1.5beta, RCs and nightlies, and also SeaMonkey → nwolb.com - NatWest Online blocks FF trunk nightlies, and also SeaMonkey
Is this an issue.  Natwest have stated that they will only ever support official releases, so anything not released like 1.5 will be blocked.
Do you have the exact words of this statement?  "Support" is rather ambiguous.  Anyway, that does tell us something: our evangelism is to oppose this decision.  There's no excuse for us on the cutting edge being treated as third-class citizens.
Read Comment #2

Would you allow your bank to support a browser that hasn't been tested properly.  1.5 is allowable but a nightly that could crash or have holes that haven't been picked up yet isn't a good idea.
> Read Comment #2
> 
> Would you allow your bank to support a browser that hasn't been tested
> properly.

If it means that I can get at my money, then yes?

> 1.5 is allowable but a nightly that could crash or have holes that
> haven't been picked up yet isn't a good idea.

All browsers have bugs.  And all browsers crash from time to time.  What are "the OnLine Banking requirements" anyway?
Blocks: 124594
just tried as of 10/12/05 and nwolb.com is still stating that only 1.5 is supported when using ff 1.5
one of the best references/recommendations I've found for encouraging financial institutions to support firefox is located at bankers on-line web site 

http://www.bankersonline.com/security/security_browserthreat070204.html 

It was written in 2004 during the download.ject attack, but much of it still applies today.  This is a good link to send when contacting banks.
Seems to work for FF 1.5.0.7 (a release), opened bug 353131 for SM 1.0.x issue (which is also a release). FF 3.0a1 and FF 2.0a1 do not work, as don't SM 1.1a and SM 1.5a all of which are not releases.
(In reply to comment #31)
> Seems to work for FF 1.5.0.7 (a release), opened bug 353131 for SM 1.0.x issue
> (which is also a release). FF 3.0a1 and FF 2.0a1 do not work, as don't SM 1.1a
> and SM 1.5a all of which are not releases.
> 

My understanding from NatWest is that they have decided only to support formal "release" versions of any browsers, and then only browsers they are have tested.  For reasons unclear to me, they think that security may be compromised in nightly/beta versions (not only Mozilla ones, although I find IE 7beta works).

BTW, I was hoping to keep the entire issue in this bug (hence have updated summary several times).  I was under the impression TE bugs were not split up by product.  
I should point put that in the summary here I have deliberately split FF nightlies form Seamonkey  - I was hoping to imply that with FF it was a problem only with non-release versions but with Seamonkey it was a blanket problem.  Any suggestions for an all-embracing summary? Perhaps:

nwolb.com - NatWest Online blocks: Firefox (nightlies and betas), Seamonkey (all versions), other Gecko-based browsers
(In reply to comment #33)
> I should point put that in the summary here I have deliberately split FF
> nightlies form Seamonkey  - I was hoping to imply that with FF it was a problem
> only with non-release versions but with Seamonkey it was a blanket problem. 
> Any suggestions for an all-embracing summary? Perhaps:
> 
> nwolb.com - NatWest Online blocks: Firefox (nightlies and betas), Seamonkey
> (all versions), other Gecko-based browsers
> 
Sounds good to me as long as you say "SeaMonkey" (note captialisation) and you cc the guy from RBS that is on the other bug when you dupe it.

Summary: nwolb.com - NatWest Online blocks FF trunk nightlies, and also SeaMonkey → nwolb.com - NatWest Online blocks: Firefox (nightlies and betas), SeaMonkey (all versions), other Gecko-based browsers
*** Bug 353131 has been marked as a duplicate of this bug. ***
Updated description, added cc and duped other bug.
Stuart from RBSG here, as has been noted by some of the above posts it is our policy to only support released/final versions of browsers, this is the reason the Firefox 2.0 betas and release candidates are not currently able to access our site. Where possible we do add support for new browsers early and this is why some of you may have been able to access with IE7 recently. Firefox 2.0 is next on our plan of browser additions and we anticipate this being added in the near future, following RC3.

The above policy ensures there is rigorous security testing before the browser is supported. We also have to prioritise new additions to our supported browser list by usage figures. If SeaMonkey becomes more widely used, we will re-consider our options to progress support.

(In reply to comment #37)

Stuart, Thank you for responding here. I think we all really appreciate your effort to explain your position and to listen to our comments. 

On the surface, your position of only supported final releases of browser due to security concerns is reasonable however when you think about it in more detail the policy if flawed in several ways.

What do you do about final released versions of browsers which have had public vulnerabilities announced? Looking at your supported browser list:

PC Users
	Microsoft® Windows
95/98/ME/NT4/2000 or XP 	Microsoft® Internet Explorer
version 5 and 6
or
Netscape™ Navigator™
version 7.1 and up
or
Mozilla 1.5 and up
or
AOL 8.0 and up (AOL subscribers only)
or
Firefox 1.0

MAC Users
	OS 8.1 to 9.2




OS X 	Microsoft® Internet Explorer version 5.1.7
or
Mozilla 1.2.1


Netscape™ Navigator™ version 7.1 and up
or
Mozilla 1.5 and up
or
Firefox 1.0
or
Safari 1.3 and 2.0

I see operating systems and browsers which are not longer supported and which are not receiving security updates. Even supporting Firefox 1.0.x for x < 7 means you are allowing Firefox users with vulnerable browsers access your site.

So really, your security concerns about new browsers is misplaced and your policy does nothing to improve your customers security.

I ask that you bring this to the attention of those at your Bank who are responsible for policy decisions.

Thanks,
Bob
Bob - you begin to take the words out of my mouth.  Moreover, looking at "Mozilla 1.5 and up" on the list, it would appear that versions stopped being added to the "support" list the moment Mozilla was renamed to SeaMonkey.  But why?
Stuart, I was thinking about this a bit more and have a couple of more points I would like to bring up. 

People who use development versions of Firefox such as Bon Echo (the basis for the upcoming Firefox 2 release), and Minefield (the basis for next year's Firefox 3), Camino, SeaMonkey and the other Gecko-based browsers are, almost by definition, pretty savy internet users who know what they are doing. You aren't really doing them a favor by blocking their use of their browser of choice.

These people are also very good at understanding issues that browsers have with web sites and are good at providing us with feed back by filing bugs when the browser behaves incorrectly. They, in effect, are doing quality assurance testing not only your web content but of our browsers as well. By allowing them to access your content with development and alternative browsers, you are making sure that any browser bugs that are exhibited on your site are identified earlier rather than later. By blocking these users you risk the chance that a regression in a new release might affect many more of your users than if the problem had been identified earlier in the development cycle.

They also can be a good source of feedback for your web development team as well. I know it may seem annoying to keep having people complain about cross-browser support issues, but there is a positive side to it. By helping you identify cross-browser support issues in your content, they help make your site better, and more easily maintained.

So, not only is the blocking of these browsers not increasing your user's security, it actually makes your support and development more difficult.
Just to add to the above, people using development builds are also the most likely people to simply spoof their UA string so they can get in.  I certainly do.
Hi, Stuart here again. 

Thanks for your feedback. This should answer a few of the questions posted after my last entry. 

The browser policy which we have is designed to protect our customers when using our sites. We understand your comments regarding the support of older browsers which no longer receive security updates and we would always recommend that a customer installs the latest and most secure version of their browser. However if customers do not actively update their browser, for whatever reason, we will check that the browser works securely with our services. There are a number of browsers which are not on our supported list, not because they have known security vulnerabilities but because they have caching issues which may affect the use of our service.

As stated earlier in this bug we do try to add support for new browsers in advance of their release however we do wait for a stage where the browser is near completion before we do so. This allows us to complete our security tests on a version of the browser which is as close to the release code as possible. We are aware that it is possible to access with some workarounds on pre-release versions however for the best experience from a visual and security aspect we would always recommend you use one of our supported browsers.
(In reply to comment #42)

> The browser policy which we have is designed to protect our customers when
> using our sites.

"Protecting" your users by completely denying entry to their browser of choice simply because you don't believe testing that browser is worth your while is not good customer service.

At the minimum, you should allow users into your site with *any* user-agent, but put up a warning saying "We cannot verify the security or compatibility of your browser with this site. Do you wish to continue?"

This, at least, allows your users some control over the matter.

Bob Clary is right on in comment 40 when he states that people using development versions of Firefox/Camino/Seamonkey/etc. are extremely likely to be savvy enough to know precisely what they're doing, and excluding these users is likely to have a ripple effect: they'll be displeased with your bank, and they're likely to tell others about the problems they've had with your site, which can't possibly be good for business.

> There are a
> number of browsers which are not on our supported list, not because they have
> known security vulnerabilities but because they have caching issues which may
> affect the use of our service.

Could you elaborate on what these "caching issues" are, and how they affect your site? It's possible that these issues are genuine bugs, either in the browser or in the way your site is working. Without further description of the issues, however, it's exceedingly likely that they'll never be solved. We can't fix what we don't know about.

> As stated earlier in this bug we do try to add support for new browsers in

Can you please reconcile this statement with comment 37, where you state

"If SeaMonkey becomes more widely used, we will re-consider our options to progress support."

It seems as though you are not truly concerned about making your site accessible to all your users, but rather concerned about what can be supported with the least amount of effort. While I can certainly see how this has advantages from a business perspective, the negative attention this behaviour receives must be considered to have a cost as well.

From a security perspective and from a general page-layout perspective, *all* Gecko browsers, no matter what their product name, will render pages identically and at the same level of security as long as the Gecko revision is identical. So long as the browser is reporting a Gecko version that you know is compatible and secure, it does not matter one bit what the user-agent name is. If your scripts look for "1.8.1.11" (the Gecko version) in the user-agent string rather than "Firefox/2.0.0.11", you'll automatically add support for Seamonkey, Camino, etc. for free, and the end-user experience will be vastly improved.

Again, if you have a legitimate reason to exclude a particular browser, please feel free to continue doing what you're doing. But if you do *not* have a legitimate reason to exclude a browser -- and you've said nothing so far to suggest that there's any reason to exclude Camino or Seamonkey users other than "there aren't enough of them to matter" -- I want to stress, in the strongest possible terms, that what you're doing is totally unacceptable.

cl
Summary: nwolb.com - NatWest Online blocks: Firefox (nightlies and betas), SeaMonkey (all versions), other Gecko-based browsers → nwolb.com/natwest.com - NatWest Online blocks: Firefox (nightlies and betas), SeaMonkey (all versions), other Gecko-based browsers
Summary: nwolb.com/natwest.com - NatWest Online blocks: Firefox (nightlies and betas), SeaMonkey (all versions), other Gecko-based browsers → nwolb.com/natwest.com - NatWest Online blocks non-Firefox Gecko browsers (including beta/nightly Firefox aka Minefield)
This bug has reappeared in the latest FF 3.6 betas. Perhaps it is worth looking into as this is one of the biggest banking sites in the UK. I am well aware that this could very easily be caused by NatWest rather than FF but it is vital this is fixed before release.

I am using FF 3.6 b5
(In reply to comment #46)
> This bug has reappeared in the latest FF 3.6 betas. Perhaps it is worth looking
> into as this is one of the biggest banking sites in the UK. I am well aware
> that this could very easily be caused by NatWest rather than FF but it is vital
> this is fixed before release.

Based on comment 42 and its subsequent lack of any response whatsoever, I wouldn't hold out a lot of hope for the site ever being fixed. If you're a customer of this bank, please complain directly to the bank, and feel free to point them to this bug, as they're currently doing a fantastic job of pretending this problem doesn't exist.
I'm a Debian user, hence I use Iceweasel. I use the UA switcher in PrefBar to get round the bad sniffing at present, but that affects the whole browser, meaning that some sites log me out if I leave it so as to report itself as Firefox rather than Iceweasel.

I have reported my view to the bank - that they should sniff the Gecko details and not specifically for Firefox - and I will see what they say. I don't blame them for not supporting pre-releases but that doesn't apply here - stable Debian tends to be rather old anyway. I will point them to this bug if I get an unencouraging response, or no response.

I understand that the UA string in Iceweasel has now been modified to include a "like Firefox" clause - how effective that will be, I don't know - but until I move over to squeeze (which will normally be in late freeze or on it becoming stable) I will not get the new UA string.

Put it this way, if I was still having any silly difficulties with the bank, or if I owed them nothing, I would be considering changing banks over this issue.
Just another data point - the Natwest stockbroking site (natweststockbrokers.com) does allow use of non-Firefox Gecko - although it does bring up a warning screen saying I'm using a "generic gecko based browser" and recommends I install IE or Netscape (with a dead link) for the best experience.
Is this still an issue for anybody?
Testing today, with Nightly I see:

 - the main banking site working fine
 - the stockbroking site claims I'm using Firefox 2, and won't let me log in. The error page claims to support v18+
No problems seen on nwolb.com in quite a lot of months for me. Leaving "Real UA" selected in PrefBar is not a problem to the site any more.
Accessing https://www.nwolb.com/ I do not have any warning screen.
And the same goes for http://www.natweststockbrokers.com/

Thanks everyone
Status: REOPENED → RESOLVED
Closed: 19 years ago10 years ago
Component: English Other → Desktop
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.