Closed Bug 119134 Opened 22 years ago Closed 10 years ago
.com - rejects non-Firefox Gecko browsers
The Royal Bank of Scotland does not support Mozilla or Netscape 6.x based browsers at all for their online banking. Users are just recommended to get IE 4.01 to 6.0 or Netscape 4.08 to 4.78. Raj.
Service Denied: Reason: Unsupported Browser In order to access the Digital Banking service you require Microsoft Internet Explorer 4.01 to 6.0 or Netscape Navigator 4.08 to 4.78.To download this software please visit Microsoft or Netscape. If you require any further assistance please call the helpdesk on 0845 600 8212. It's worth noting that rbos are merged with natwest (in some strange way, i think) so if we get the natwest bug 66911 fixed, we may be able to get this one done at the same time.
Summary: Royal bank of Scotland (rbsdigital.com) doesn't support Mozilla/Netscape 6.x → [deny] rbsdigital.com (Royal Bank of Scotland)
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: [deny] rbsdigital.com (Royal Bank of Scotland) → rbsdigital.com - deny NS6/Moz
Contact info: feedback form available here: http://www.rbs.co.uk/contact_us/online/tech_assist/default.asp James : could you give them a call ? Setting P1.
Severity: major → normal
Priority: -- → P1
Is there some way to properly detect encryption support? I use the RBS and I would like to phone and see how far I can get. If someone can point me to some stuff so that I can educate myself first that would be great.
Re: comment #3, I'm not sure what you mean by "encryption support". The page is encrypted fine (RC4, 128 bit according to the page info). All you have to do is to spoof your user-agent to NS4.78 (either http://uabar.mozdev.org or http://mozilla-evangelism.bclary.com/sidebars/ will let you do this) and you can access the site without any problems
What I meant is that RBS's idea of detecting support for their encryption seems to be to only allow IE and NS4 through. Instead is there some way for them to actually test the browser being used to see if it will support encryption? I was thinking that if there was I could bring this up with my manager and try to convince him to push for something to be done. I would rather change old attitudes than work around them by changing my user agent string. :)
I thought that all non-obsolete browsers (ie not Mosaic :o) ) support encryption. If it isn't supported (eg if the PSM xpi isn't installed in Moz), doesn't the page just refuse to load?
I've just phoned their support desk to ask about this - they just repeated what I've been told a few times via email, which is that they are testing Netscape 6 and Mozilla but they have no timescale for when that will be finished. Given that the first time I asked them about this was in Feb, it's clearly a fairly slow testing process. He did say that they've had quite a few complaints about this, which they always pass on, etc., etc. Just have to keep hassling them if you're a customer, I suppose. BTW, the OS and Platform should probably both be "All", not "Windows 2000" and "PC", since it's a case of only specific UA strings being allowed, rather than specific ones being denied. I'm using Linux (Mandrake 8.2) and I can't get in to the site without UA spoofing.
Okay, thanks guys, I will give them a phone.
OS: Windows 2000 → All
Hardware: PC → All
I just emailed them again the other day and got the following response: <quote> Technical changes to the site, including changes to browser compatibility, are usually made in major revisions rather than many frequent small changes. For reasons of commercial confidentiality we cannot comment on when specific changes/enhancements will be made. </quote>
I've had similar fun with them. I pointed out that other banks (e.g. Nationwide) let you use whatever browser you want. They said that not restricting the browser meant they got too many support requests!
Another email brought the following response: <quote> At this time we do not support the Mozilla browser. We currently operate a browser policy whereby each browser is checked thoroughly by our technical department before we launch them. The decision to adopt a browser policy was taken to avoid any concern arising due to varying browser behaviour. Each browser that is released may function differently to another, even a new browser from an established company. For example the way a browser deals with cached information differs from browser to browser. We can assure you the addition of browsers to the existing list is actively being progressed. </quote> I've written back asking for some sort of timeline, but I'm not hopeful.
Component: Europe: West → English Other
I recently mailed them, mentioning there's no technical reason why Mozilla shouldn't be supported (i.e. it works perfectly with UA-spoofing), and I also asked for a timescale for Mozilla support. Here's what I got back: "We are currently considering what browsers to adopt for our system. Extensive testing is being carried out at present and we hope to include other browsers in future revisions of our product. We do not have any time-scales at present." They've been testing "extensively" for a *very long* time now!!
en other default owner
Assignee: nitot → english-other
QA Contact: z-caillon-obsolete2 → english-other
I've just sent them another email and written quoting that email to my bank manager. They cant ignore us forever! Harhar!
Here's the reply I got from my bank manager. Looks like they actually are doing things afterall. "I write following your recent concern regarding Digital Banking. I have contacted our Digital Banking Department and they can confirm that adding support for other browsers, including Mozilla, is part of our ongoing platform redevelopment work which will be designed to comply with W3C guidelines. They regret that they currently cannot confirm the completion date for this project. I hope the above now clarifies the situation, but should you have any further queries please do not hesitate to contact me."
I filled in the RBoS complaint form and got this response regarding Mozilla, which indicates exactly what their problem is. I will see if they have any bug ID references relating to their issues with Mozilla. "We have tested our service with Mozilla and at this time, the browser has failed to meet our security standards. Our service includes code, which is designed to remove any customer account information from your computer when you exit the service. This is intended to prevent subsequent unauthorised viewing of account information. We have found that Mozilla continues to store this information. We have contacted Mozilla regarding the concern and at this time they have been unable to offer us a solution. Until such time as these concerns are addressed and the behaviour of the browser is amended we will not be able to support Mozilla. In the meantime we will continue to communicate with them on this issue and will test new versions of their browser, as they become available. We have similar concerns relating to the newer versions of Netscape, although there are further issues in place also."
Their security issue lies with the handling of HTTP Headers within Mozilla and other Gecko-based browsers. Using the Live HTTP Headers extension, I obtained the following HTTP Headers sent from the login page of RBS Digital (using a UA spoof)... Pragma: no-cache Cache-Control: No-cache A quick search of Bugzilla determines the following: "...to get the behavior you desire, you need to send 'cache-control: no-store'. [cache-control:] no-cache only means that we must validate the cached copy of the document before reusing it under normal browsing circumstances. we are allowed to show the user a stale document when they press the back button..." (Source: Bug 223000) Under the guidance of the HTTP1.x standards, Mozilla is displaying the correct behavior, and IE is not (big surprise). Looks like all they have to do is add the following to their HTTP Headers to allow Mozilla and other browsers access: cache-control: no-store Going to try and establish contact regarding this matter, adding that line would take very little effort, and should prevent any caching, thus eliminating the security concerns.
SO, RBoS are not supporting Mozilla, just because it stores password details? Correct me if I'm wrong, but doesn't IE6 (for Windows) also store passwords? Also, doesn't Mozilla store passwords in a much safer way that IE6 does. Maybe someone should tell RBoS about all of the known security holes in IE.
> SO, RBoS are not supporting Mozilla, > just because it stores password details? > Correct me if I'm wrong, but doesn't IE6 > (for Windows) also store passwords? Consider yourself corrected :) Mozilla and IE both support the ability to store passwords, however a website can force the browser to not remember them. I assume RBoS are using this, as I have never even been prompted to remember my details, and I would assume that it's a basic fundamental security concern. The issue here is that they are not sending the correct HTTP1.x header to stop the page from caching. IE incorrectly interprets their request and doesn't cache, which is what they want. They therefore consider Mozilla browsers to be insecure, as they obey the standards. They can simply modify their HTTP1.x headers as I have told them in an email today. If they sent "Cache-Content: no-store, no-cache" instead of just "Cache-Control: no-cache", there would be no issue. I have asked them to consider this change and to re-evaluate Mozilla, based on it. They asked for a solution, and this, IMO, is it.
(In reply to comment #20) Good Morning, My name is Stuart and I work for the Royal Bank of Scotland Group. We just wanted to confirm that we have recently completed testing of Mozilla and Netscape 6/7 on Digital Banking and are planning to implement support for these browsers during March. This change will also be made to NatWest OnLine Banking which uses the same underlying system.
Thanks for the reply Stuart, if you need any assistance, please use this as a reference point as myself, the reporter and the voters will get CC'd and will be happy to help.
(In reply to comment #21) > Good Morning, > > My name is Stuart and I work for the Royal Bank of Scotland Group. We just > wanted to confirm that we have recently completed testing of Mozilla and > Netscape 6/7 on Digital Banking and are planning to implement support for these > browsers during March. > > This change will also be made to NatWest OnLine Banking which uses the same > underlying system. I am a NatWest customer currently using Mozilla Firefox 0.8. If you require any end-user assistance in testing the NatWest Online Banking portal, post in either this bug or this one: http://bugzilla.mozilla.org/show_bug.cgi?id=66911
This is now (finally) working for me. Can someone else confirm before I mark this as being fixed?
Confirmed as working for me under Linux/Firefox 0.8. Excellent. It still doesn't auto-focus on the first input field of each login page, but that's not really related.
With great pleasure, I declare this bug FIXED :o)
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
The RBOS situation may be resolved, but NatWest.com is still denying access . . .
Hi As posted previously our intention was to expand the number of browsers supported by The Royal Bank of Scotland and NatWest internet banking services during March. I am happy to inform you that the RBS update took place on 24 March and the NatWest update took place early this morning. We hope that our customers will enjoy using our services with Mozilla. For information, our list of supported browsers is now: Internet Explorer 4.01 and above Netscape 4.08 - 7.1 Mozilla 1.5 and above AOL for Windows Should you experience any issues we would be grateful of you could post them here or contact us directly via our websites. Regards Stuart.
Users will experience problems logging on to digital banking if popup blocking is enabled. The logon window appears and then immediately closes. To allow the logon window to appear, popups must be allowed for the digital banking website (no popup blocked indicator is displayed because it appears that the window that appears when you click 'logon' (a requested popup) creates another window to contain the login form (an unrequested popup)) To do this in Mozilla 1.6: 1. Edit menu -> Preferences 2. Under Privacy & Security select Popup Windows 3. Click the "Allowed Sites..." button and add "www.rbsdigital.com" to the list of allowed web sites. The logon window will now appear successfully. I have notified RBoS of this with the hope it will appear in the service FAQ http://www.rbs.co.uk/Personal_Finances/Bank_Online/FAQs/technical.htm
(In reply to comment #29) > Users will experience problems logging on to digital banking if popup blocking > is enabled. The logon window appears and then immediately closes. I have to say that I've never noticed this because I have a bookmark set up to take me directly to the secure site in my main browser window. The URL is: https://www.rbsdigital.com/secure/
Reopening this bug. In a move that I completely fail to understand, the RBSDigital system now refuses to give Firefox access once again. When following the "Information on supported browsers" link, Firefox is listed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
To elaborate: RBS have rewritten their entire online banking service. The new version has managed, astonishingly, to be even less standards or browser-friendly than the old one. This time, the server-side parser (which is giving out entirely different sites for different UAs, gotta love asp.NET) is specifically blocking Gecko revision 1.8: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20051009 Firefox/1.0.7 works, whereas Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051009 Firefox/1.0.7 is rejected. - Chris
(In reply to comment #32) I can confirm this behaviour, with revision 1.7 of Firefox being allowed to access the site; I'm using Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10) Gecko/20050721 Firefox/1.0.4 (Ubuntu package 1.0.6). I'm also attaching an image illustrating a CSS bug which appears under Firefox. Obviously we can't tell what setup RBS have exactly, but for what it's worth, having been an ASP.NET developer I've had very good results with this updated browsercaps file for serving appropriate code to non-IE browsers: http://slingfive.com/pages/code/browserCaps/
Also to note that the new site doesn't work with Seamonkey (current build: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050915 MultiZilla/220.127.116.11r SeaMonkey/1.1a)
I emailed the bank to complain and got the following response ---- begin ---- Thank you for your email to Digital Banking. Our list of supported browsers are as follows A PC with Microsoft Windows 95/98/NT/2k/Me/XP Home or Pro or an Apple Macintosh with OS 8.1 or above 28.8kbps modem (although 56kbps preferred) An internet account with an Internet Service Provider * Internet Explorer 5.0 and above(Windows only) * Netscape 7.1, 7.2 and 8.0 (8.0 is Windows only) * Mozilla 1.5 and above * AOL 8.0 and above(Windows only) * Firefox Version 1.x * Safari 1.3 (312) + 2.0 (412) (Mac OS 10 only) * Internet Explorer 5.1.7 (Mac OS 8+9 only) * Mozilla 1.2.1 (Mac OS 8+9 only) Screen with 800 x 600 Pixel Resolution At this time we have no plans to support the web browser you have mentioned. Please accept our apologies for any inconvenience you have been caused in this matter. ---- end ---- For what it's worth, spoofing the UA to Mozilla 1.6 lets me in to the site.
Now that SeaMonkey 1.0 final has been released, should we try and make another effort to try and get SM accepted?
Raj, sure. When you contact them remember to get them to allow any Gecko browser. Send them a link to <http://developer.mozilla.org/en/docs/Browser_Detection_and_Cross_Browser_Support>. It may help although it is a bit old.
one of the best references/recommendations I've found for encouraging financial institutions to support firefox is located at bankers on-line web site http://www.bankersonline.com/security/security_browserthreat070204.html It was written in 2004 during the download.ject attack, but much of it still applies today. This is a good link to send when contacting banks.
RBS now says http://www.rbs.co.uk/personal/online-banking/g2/need.ashx Camino and Minefield are both rejected outright. If I spoof exactly as Firefox 2, I can get in just fine (to the extent that I can get in at all without an account). Tweaking summary and blocking 334967. Stuart, is there any particular *technical* reason you guys are choosing to completely block access by users of Gecko-based browsers other than Firefox? Please give http://geckoisgecko.org/ a read if there isn't and consider implementing engine sniffing rather than browser sniffing. If there *is* a technical reason to block non-Firefox Gecko browsers, please tell us what it is so that it can be addressed.
Summary: rbsdigital.com - deny NS6/Moz → rbsdigital.com - rejects non-Firefox Gecko browsers
I see this is basically the same thing as bug 307525. Same parent company, different URL. Stuart, my comments over in that bug apply equally to this one.
Confirming problem still exists as of today... :(
Status: REOPENED → RESOLVED
Closed: 20 years ago → 10 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.