accesd.desjardins.com and www.desjardins.com are RC4 only

RESOLVED FIXED

Status

Tech Evangelism
Desktop
--
major
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: infoplus007, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Created attachment 8584627 [details]
ZZZ_2015-03-27_11-58-54.png

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150326030212

Steps to reproduce:

Enter https://accesd.desjardins.com/ and press "Enter"  (Major Quebec Banking Site)


Actual results:

Firefox 39.0a1 load an error page: http://i.imgur.com/RDO3r3P.png + http://i.imgur.com/wJVmyl1.png




Expected results:

Load the website fine ;-)


Tried in Firefox 39.0a1 (Win7 64)
Tried in Chrome = Work Fine
Tried in Firefox V36 = Work Fine
(Reporter)

Updated

3 years ago
Severity: normal → major
(Reporter)

Updated

3 years ago
Priority: -- → P1

Comment 1

3 years ago
Website is RC4 only:
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Faccesd.desjardins.com%2F

Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK

You can contact the website support and redirect them to this bug report. They need to update their cipher suite.
Blocks: 1138101
Severity: major → normal
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
Priority: P1 → --
Product: Firefox → Tech Evangelism
Summary: Firefox 39.0a1 Unable to load my bank site: https://accesd.desjardins.com/ → accesd.desjardins.com is RC4 only
Version: 39 Branch → Trunk
(Reporter)

Comment 2

3 years ago
Yes I agree I can contact them but in meantime it work with Chrome and Firefox 36.

Desjardins in Quebec is the biggest Bank with More than 7 MILLIONS Members that use AccesD portal if Firefox can't be used on The Major Bank in Quebec/Canada expect peoples will shift to another browser. 

Also till it work on other browser if it's not corrected on Firefox side you can expect Desjardins to said to their customers to use Chrome or IExplorer cause Firefox is incompatible with Secure Web site.

Once the damage done (peoples switching to another browser) it will be difficult to undo their habits...

Comment 3

3 years ago
Just use another bank who doesn't provide low security for its clients. :)
(Reporter)

Comment 4

3 years ago
It's not the Bank that will be hurted with this BUG it's Firefox, the bank will just tell to the 7 MILLIONS Members don't use Firefox since it' don't work on secure site, use Chrome on Internet Explorer they are safe and work. Users will trust the Major Bank Bank over Mozilla I think ;-)

Mozilla is disconnected from the reality again, you really don't understand that 8 peoples of 10 use Desjardins in Quebec/Canada, I hope you have some clue about why Firefox is losing users each Qtr.
(Reporter)

Updated

3 years ago
Severity: normal → major

Comment 5

3 years ago
There is no fault with Firefox here. While it may make sense to temporarily whitelist the address, it will ultimately require the bank to correct their service. It's using insecure, obsolete encryption.

https://tools.ietf.org/html/rfc7465

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566

http://www.isg.rhul.ac.uk/tls/RC4mustdie.html

https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-attack-breaking-ssl-with-13-year-old-rc4-weakness

Comment 6

3 years ago
Chrome will, like Firefox, ultimately either remove RC4 support or add an interstitial warning.

Microsoft also advise that the RC4 cipher should not be used: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx

Comment 7

3 years ago
I've contacted the bank via an online form to inform them of the issues that arise from their RC4 only servers, and the expected date of when this will become an issue for them. I have also pointed them at this bug.

(In reply to infoplus007 from comment #4)
> It's not the Bank that will be hurted with this BUG it's Firefox, the bank
> will just tell to the 7 MILLIONS Members don't use Firefox since it' don't
> work on secure site, use Chrome on Internet Explorer they are safe and work.
> Users will trust the Major Bank Bank over Mozilla I think ;-)

Firefox 38 and below will connect to the site fine, albeit with reduced security UI. If the bank is unable to fix their servers in time, the various domains will be added to the whitelist in Bug 1145844 so that Firefox 39 and above will continue to work fine at least for a while.
OS: Windows 7 → All
Hardware: x86_64 → All
Summary: accesd.desjardins.com is RC4 only → accesd.desjardins.com and www.desjardins.com are RC4 only
(Reporter)

Comment 8

3 years ago
I resolved my problem by changing security.tls.unrestricted_rc4_fallback to TRUE

http://i.imgur.com/nqw2bSX.png

Tested on Firefox V39.0a2
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INVALID

Comment 9

3 years ago
It's a server-side issue, not a client-side.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---

Comment 10

3 years ago
Looks fixed.
Status: REOPENED → RESOLVED
Last Resolved: 3 years ago3 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.