If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Various virginmedia.com sites are TLS 1.2 intolerant and RC4 only

RESOLVED FIXED

Status

Tech Evangelism
Desktop
--
major
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: emorley, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

3 years ago
1) Visit https://my.virginmedia.com/home/signIn in latest Nightly using a clean profile.
2) Visit same URL in Chrome dev.

Expected:
Login page appears with username and password fields visible etc, for both Nightly and Chrome.

Actual:
Only works in Chrome, fails in Nightly with:

"""
Secure Connection Failed

The connection to identity.virginmedia.com was interrupted while the page was loading.

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.
"""
(Reporter)

Comment 1

3 years ago
https://www.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com
(Reporter)

Comment 2

3 years ago
 9:11.07 LOG: MainThread Bisector INFO Last good revision: f1f48ccb2d4e
 9:11.07 LOG: MainThread Bisector INFO First bad revision: 5b01216f97f8
 9:11.07 LOG: MainThread Bisector INFO Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=f1f48ccb2d4e&tochange=5b01216f97f8

I couldn't bisect further on inbound using mozregression, due to bug 1129897.

However in that range is bug 1084025:
https://hg.mozilla.org/mozilla-central/rev/35f5ec149ad5

Setting security.tls.version.fallback-limit back to 1, makes identity.virginmedia.com load successfully.

Moving to Tech Evang given bug 1084025 comments and it's dep bug 1126620 which tracks the TE side.

That said, we _really_ need a better error message here - I wasted over 90 minutes of Mozilla time (thanks also to mozregression issues slowing things down) filing this bug/tracking this down, which could have been avoided if the message said something like "See this FAQ" -> link to page explaining the disabling of the version fallback and the bug number :-(
Blocks: 1126620
Component: Security → Desktop
OS: Windows 8.1 → All
Product: Firefox → Tech Evangelism
Hardware: x86_64 → All
Summary: virginmedia.com customer sign-in fails with TLS error, works in Chrome → virginmedia.com customer sign-in fails with TLS error after bug 1084025
(Reporter)

Comment 3

3 years ago
I've sent an email to the registrant email listed at http://whois.domaintools.com/virginmedia.com (domain_admin[at]virgin[dot]com) as well as hostmaster[at]virginmedia[dot]com for good measure.

Sadly there isn't yet an FAQ or blog post that I can link to, that concisely explains what the website owners need to do. Masatoshi, is there one I haven't found?
Flags: needinfo?(VYV03354)
(In reply to Ed Morley [:edmorley] from comment #3)
> I've sent an email to the registrant email listed at
> http://whois.domaintools.com/virginmedia.com
> (domain_admin[at]virgin[dot]com) as well as
> hostmaster[at]virginmedia[dot]com for good measure.
> 
> Sadly there isn't yet an FAQ or blog post that I can link to, that concisely
> explains what the website owners need to do. Masatoshi, is there one I
> haven't found?

Probably no. We should create it.
Flags: needinfo?(VYV03354)

Comment 5

3 years ago
There's other services that need to be whitelisted and raised with Virgin:

identity.virginmedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com&latest
RC4-only, TLS 1.2 intolerant
 
national.virginmedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=national.virginmedia.com&latest
RC4-only, TLS 1.2 intolerant
 
payments.virginmedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=payments.virginmedia.com&latest
RC4-only, TLS 1.2 intolerant
 
ebill2.virginmedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=ebill2.virginmedia.com&latest
RC4-only, TLS 1.2 intolerant

Comment 6

3 years ago
Please can we make this also block on 1138101
Blocks: 1138101

Comment 7

3 years ago
For completeness of this bug, there's also:

allyours.virginmedia.com
https://www.ssllabs.com/ssltest/analyze.html?d=allyours.virginmedia.com&latest
RC4-only, TLS 1.2 intolerant

Comment 8

3 years ago
I have just had an update from Virgin:

"This is something that is being taken very seriously, and we are aware, and have a project in place to rectify the problem."

Updated

3 years ago
Duplicate of this bug: 1150190

Comment 10

3 years ago
(Updating summary to reflect the expanded purpose of this bug).
Summary: virginmedia.com customer sign-in fails with TLS error after bug 1084025 → Various virginmedia.com sites are TLS 1.2 intolerant and RC4 only

Comment 11

3 years ago
Have raised this to VirginMedia - it may need many writing to the CEO of VirginMedia to get some action by them or to raise a complaint to the Information Commissioners Office

Comment 12

2 years ago
https://my.virginmedia.com/ seems fixed, but not anything else.

Comment 13

2 years ago
(In reply to Cykesiopka from comment #12)
> https://my.virginmedia.com/ seems fixed, but not anything else.

not working for me; aurora 42.0a2 (2015-09-11)

Comment 14

2 years ago
(In reply to Calum Mackay from comment #13)
> (In reply to Cykesiopka from comment #12)
> > https://my.virginmedia.com/ seems fixed, but not anything else.
> 
> not working for me; aurora 42.0a2 (2015-09-11)

Hmm, https://my.virginmedia.com (92.238.96.43) continues to work fine here, and I run Aurora 42 as well.

https://www.ssllabs.com/ssltest/analyze.html?d=my.virginmedia.com
> TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 	128
> TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits (p: 128, g: 1, Ys: 128)   FS   WEAK 	256
> TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) 	128
> TLS_RSA_WITH_AES_256_CBC_SHA (0x35) 	256
> TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 	112

> Firefox 39 / OS X  R		TLS 1.0 	TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33)   FS 	128 

> Long handshake intolerance 	No
> TLS extension intolerance 	No
> TLS version intolerance 	No 

Maybe you're hitting a different server from load balancing or something?

Also, make sure you're actually visiting just https://my.virginmedia.com/.
https://my.virginmedia.com/home/signIn/ from comment 0 actually redirects to the still broken https://identity.virginmedia.com/.

Comment 15

2 years ago
my apologies, you're right. I mis-read which site you were saying was fixed, sorry.

Comment 16

2 years ago
(In reply to Calum Mackay from comment #15)
> my apologies, you're right. I mis-read which site you were saying was fixed,
> sorry.

No worries.

Comment 17

2 years ago
I am having problems with this site:
http://salesleadform.virginmedia.co.uk


Any idea when this will be fixed?


Thanks
CLS

Comment 18

2 years ago
CLS,

You need to ask Virgin. The fault is with them, not with Firefox.

https://dev.ssllabs.com/ssltest/analyze.html?d=salesleadform.virginmedia.co.uk&hideResults=on

Cheers,

Nick
If we're going to contact them, here are some possible contact points:
Contactlink: http://help.virginmedia.com/
http://twitter.com/virginmedia
http://www.facebook.com/virginmedia

I tweeted them, but if someone has a better contact please reach out..
payments.virginmedia.com and ebill2.virginmedia.com are fixed, but other servers are still broken.

Comment 21

2 years ago
My parents have 5 email addresses at virginmedia: who are their ISP.
They use Firefox.

Each of my parents has a 'special Firefox Profile JUST for virginmedia webmail'.

As many will know, virginmedia are bringing their 'customer paid for email service'
(which used to be provided by Google) in house.

I spent several hours trying to help them and I have reported
their issues to virginmedia.

While I was on the phone I also told virginmedia about *this* bug.
I said I would update it this evening (because virginmedia say are going to look at it).

My parents have a bookmark which used to allow them to login to their webmail.
They do not use https://my.virginmedia.com
(see comment # 12)

I am simulating their login (on another computer at a different physical
address in the same city).

Browser: Firefox 42 (current release)

in "about:config"
security.ssl.require_safe_negotiation set to "false"
security.ssl.treat_unsafe_negotiation_as_broken set to "false"
(in my normal usage I have these both set to "true").


Browse to:


https://mail.virginmedia.com

this is redirected to

https:/mail2.virginmedia.com/appsuite/

this then is redirected to

https://identity.virginmedia.com

here Firefox (correctly) reports:

> Web site: identity.virginmedia.com
> Owner: This web site does not supply ownership information.
> Verified by: Not specified

In the "Technical Details" box

"Broken Encryption (TLS_RSA_WITH_RC4_128_MD5, 128 bit keys, TLS 1.0)"

If you work for virginmedia, or if you intend to use the virginmedia webmail, please see:

https://www.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com

DJ-Leith
allyours.virginmedia.com and salesleadform.virginmedia.co.uk are fixed, but other servers are still broken.

Comment 23

2 years ago
identity.virginmedia.com seems to be fixed now.

https://www.ssllabs.com/ssltest/analyze.html?d=identity.virginmedia.com
national.virginmedia.com is still broken.
Why Virgin Media does not know all their servers themselves? :(
national.virginmedia.com has been fixed.
I don't know broken subdomains anymore.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.