Closed Bug 1148465 Opened 7 years ago Closed 7 years ago

accesd.desjardins.com and www.desjardins.com are RC4 only

Categories

(Web Compatibility :: Desktop, defect)

defect
Not set
major

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: infoplus007, Unassigned)

References

()

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:39.0) Gecko/20100101 Firefox/39.0
Build ID: 20150326030212

Steps to reproduce:

Enter https://accesd.desjardins.com/ and press "Enter"  (Major Quebec Banking Site)


Actual results:

Firefox 39.0a1 load an error page: http://i.imgur.com/RDO3r3P.png + http://i.imgur.com/wJVmyl1.png




Expected results:

Load the website fine ;-)


Tried in Firefox 39.0a1 (Win7 64)
Tried in Chrome = Work Fine
Tried in Firefox V36 = Work Fine
Severity: normal → major
Priority: -- → P1
Website is RC4 only:
https://www.ssllabs.com/ssltest/analyze.html?d=https%3A%2F%2Faccesd.desjardins.com%2F

Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_RC4_128_SHA (0x5)   WEAK

You can contact the website support and redirect them to this bug report. They need to update their cipher suite.
Severity: major → normal
Status: UNCONFIRMED → NEW
Component: Untriaged → Desktop
Ever confirmed: true
Priority: P1 → --
Product: Firefox → Tech Evangelism
Summary: Firefox 39.0a1 Unable to load my bank site: https://accesd.desjardins.com/ → accesd.desjardins.com is RC4 only
Version: 39 Branch → Trunk
Yes I agree I can contact them but in meantime it work with Chrome and Firefox 36.

Desjardins in Quebec is the biggest Bank with More than 7 MILLIONS Members that use AccesD portal if Firefox can't be used on The Major Bank in Quebec/Canada expect peoples will shift to another browser. 

Also till it work on other browser if it's not corrected on Firefox side you can expect Desjardins to said to their customers to use Chrome or IExplorer cause Firefox is incompatible with Secure Web site.

Once the damage done (peoples switching to another browser) it will be difficult to undo their habits...
Just use another bank who doesn't provide low security for its clients. :)
It's not the Bank that will be hurted with this BUG it's Firefox, the bank will just tell to the 7 MILLIONS Members don't use Firefox since it' don't work on secure site, use Chrome on Internet Explorer they are safe and work. Users will trust the Major Bank Bank over Mozilla I think ;-)

Mozilla is disconnected from the reality again, you really don't understand that 8 peoples of 10 use Desjardins in Quebec/Canada, I hope you have some clue about why Firefox is losing users each Qtr.
Severity: normal → major
There is no fault with Firefox here. While it may make sense to temporarily whitelist the address, it will ultimately require the bank to correct their service. It's using insecure, obsolete encryption.

https://tools.ietf.org/html/rfc7465

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2566

http://www.isg.rhul.ac.uk/tls/RC4mustdie.html

https://www.blackhat.com/asia-15/briefings.html#bar-mitzva-attack-breaking-ssl-with-13-year-old-rc4-weakness
Chrome will, like Firefox, ultimately either remove RC4 support or add an interstitial warning.

Microsoft also advise that the RC4 cipher should not be used: http://blogs.technet.com/b/srd/archive/2013/11/12/security-advisory-2868725-recommendation-to-disable-rc4.aspx
I've contacted the bank via an online form to inform them of the issues that arise from their RC4 only servers, and the expected date of when this will become an issue for them. I have also pointed them at this bug.

(In reply to infoplus007 from comment #4)
> It's not the Bank that will be hurted with this BUG it's Firefox, the bank
> will just tell to the 7 MILLIONS Members don't use Firefox since it' don't
> work on secure site, use Chrome on Internet Explorer they are safe and work.
> Users will trust the Major Bank Bank over Mozilla I think ;-)

Firefox 38 and below will connect to the site fine, albeit with reduced security UI. If the bank is unable to fix their servers in time, the various domains will be added to the whitelist in Bug 1145844 so that Firefox 39 and above will continue to work fine at least for a while.
OS: Windows 7 → All
Hardware: x86_64 → All
Summary: accesd.desjardins.com is RC4 only → accesd.desjardins.com and www.desjardins.com are RC4 only
I resolved my problem by changing security.tls.unrestricted_rc4_fallback to TRUE

http://i.imgur.com/nqw2bSX.png

Tested on Firefox V39.0a2
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
It's a server-side issue, not a client-side.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Looks fixed.
Status: REOPENED → RESOLVED
Closed: 7 years ago7 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.