Closed Bug 119134 Opened 21 years ago Closed 9 years ago

rbsdigital.com - rejects non-Firefox Gecko browsers

Categories

(Tech Evangelism Graveyard :: English Other, defect, P1)

defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: raj, Unassigned)

References

()

Details

(Whiteboard: [banking][deny])

Attachments

(1 file)

The Royal Bank of Scotland does not support Mozilla or Netscape 6.x based
browsers at all for their online banking.  Users are just recommended to get IE
4.01 to 6.0 or Netscape 4.08 to 4.78.

Raj.
Service Denied:

Reason: Unsupported Browser

In order to access the Digital Banking service you require Microsoft Internet
Explorer 4.01 to 6.0 or Netscape Navigator 4.08 to 4.78.To download this
software please visit Microsoft or Netscape. If you require any further
assistance please call the helpdesk on 0845 600 8212.

It's worth noting that rbos are merged with natwest (in some strange way, i
think) so if we get the natwest bug 66911 fixed, we may be able to get this one
done at the same time.
Summary: Royal bank of Scotland (rbsdigital.com) doesn't support Mozilla/Netscape 6.x → [deny] rbsdigital.com (Royal Bank of Scotland)
Whiteboard: [banking][deny]
Blocks: 124594
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: [deny] rbsdigital.com (Royal Bank of Scotland) → rbsdigital.com - deny NS6/Moz
Contact info:
feedback form available here:
http://www.rbs.co.uk/contact_us/online/tech_assist/default.asp
James : could you give them a call ?
Setting P1.
Severity: major → normal
Priority: -- → P1
Is there some way to properly detect encryption support? I use the RBS and I
would like to phone and see how far I can get. If someone can point me to some
stuff so that I can educate myself first that would be great. 
Re: comment #3, I'm not sure what you mean by "encryption support".  The page is
encrypted fine (RC4, 128 bit according to the page info).  All you have to do is
to spoof your user-agent to NS4.78 (either http://uabar.mozdev.org or
http://mozilla-evangelism.bclary.com/sidebars/ will let you do this) and you can
access the site without any problems
What I meant is that RBS's idea of detecting support for their encryption seems
to be to only allow IE and NS4 through. Instead is there some way for them to
actually test the browser being used to see if it will support encryption? I was
thinking that if there was I could bring this up with my manager and try to
convince him to push for something to be done. I would rather change old
attitudes than work around them by changing my user agent string. :)
I thought that all non-obsolete browsers (ie not Mosaic :o)  ) support
encryption.  If it isn't supported (eg if the PSM xpi isn't installed in Moz),
doesn't the page just refuse to load?
I've just phoned their support desk to ask about this - they just 
repeated what I've been told a few times via email, which is that they are
testing Netscape 6 and Mozilla but they have no timescale for when
that will be finished.

Given that the first time I asked them about this was in Feb, it's clearly a
fairly slow testing process. He did say that they've had quite a few complaints
about this, which they always pass on, etc., etc.

Just have to keep hassling them if you're a customer, I suppose.

BTW, the OS and Platform should probably both be "All", not "Windows 2000" and
"PC", since it's a case of only specific UA strings being allowed, rather than
specific ones being denied. I'm using Linux (Mandrake 8.2) and I can't get in to
the site without UA spoofing.
Okay, thanks guys, I will give them a phone. 
OS: Windows 2000 → All
Hardware: PC → All
I just emailed them again the other day and got the following response:

<quote>
Technical changes to the site, including changes to browser compatibility,
are usually made in major revisions rather than many frequent small changes.
For reasons of commercial confidentiality we cannot comment on when specific
changes/enhancements will be made.
</quote>
I've had similar fun with them.  I pointed out that other banks (e.g.
Nationwide) let you use whatever browser you want.  They said that not
restricting the browser meant they got too many support requests!  
Another email brought the following response:

<quote>
At this time we do not support the Mozilla browser. We currently operate a
browser policy whereby each browser is checked thoroughly by our technical
department before we launch them.

The decision to adopt a browser policy was taken to avoid any concern
arising due to varying browser behaviour. Each browser that is released may
function differently to another, even a new browser from an established
company. For example the way a browser deals with cached information differs
from browser to browser. We can assure you the addition of browsers to the
existing list is actively being progressed.
</quote>

I've written back asking for some sort of timeline, but I'm not hopeful.
New Component
Component: Europe: West → English Other
I recently mailed them, mentioning there's no technical reason why Mozilla
shouldn't be supported (i.e. it works perfectly with UA-spoofing), and I also
asked for a timescale for Mozilla support.  Here's what I got back:

"We are currently considering what browsers to adopt for our system.
Extensive testing is being carried out at present and we hope to include
other browsers in future revisions of our product.  We do not have any
time-scales at present."


They've been testing "extensively" for a *very long* time now!!
en other default owner
Assignee: nitot → english-other
QA Contact: z-caillon-obsolete2 → english-other
I've just sent them another email and written quoting that email to my bank
manager. They cant ignore us forever! Harhar!
Here's the reply I got from my bank manager. Looks like they actually are doing
things afterall.

"I write following your recent concern regarding Digital Banking.

I have contacted our Digital Banking Department and they can confirm that adding
support for other browsers, including Mozilla, is part of our ongoing platform
redevelopment work which will be designed to comply with W3C guidelines. They
regret that they currently cannot confirm the completion date for this project.

I hope the above now clarifies the situation, but should you have any further
queries please do not hesitate to contact me."
I filled in the RBoS complaint form and got this response regarding Mozilla,
which indicates exactly what their problem is. I will see if they have any bug
ID references relating to their issues with Mozilla.

"We have tested our service with Mozilla and at this time, the browser has
failed to meet our security standards.  Our service includes code, which is
designed to remove any customer account information from your computer when you
exit the service.  This is intended to prevent subsequent unauthorised viewing
of account information.  We have found that Mozilla continues to store this
information.  We have contacted Mozilla regarding the concern and at this time
they have been unable to offer us a solution.

Until such time as these concerns are addressed and the behaviour of the browser
is amended we will not be able to support Mozilla. In the meantime we will
continue to communicate with them on this issue and will test new versions of
their browser, as they become available.

We have similar concerns relating to the newer versions of Netscape, although
there are further issues in place also."
Their security issue lies with the handling of HTTP Headers within Mozilla and
other Gecko-based browsers.

Using the Live HTTP Headers extension, I obtained the following HTTP Headers
sent from the login page of RBS Digital (using a UA spoof)...

Pragma: no-cache
Cache-Control: No-cache

A quick search of Bugzilla determines the following:

"...to get the behavior you desire, you need to send 'cache-control: no-store'.
 [cache-control:] no-cache only means that we must validate the cached copy of
the document before reusing it under normal browsing circumstances.  we are
allowed to show the user a stale document when they press the back button..."
(Source: Bug 223000)

Under the guidance of the HTTP1.x standards, Mozilla is displaying the correct
behavior, and IE is not (big surprise). Looks like all they have to do is add
the following to their HTTP Headers to allow Mozilla and other browsers access:

cache-control: no-store

Going to try and establish contact regarding this matter, adding that line would
take very little effort, and should prevent any caching, thus eliminating the
security concerns.
SO, RBoS are not supporting Mozilla, just because it stores password details?
Correct me if I'm wrong, but doesn't IE6 (for Windows) also store passwords?

Also, doesn't Mozilla store passwords in a much safer way that IE6 does.

Maybe someone should tell RBoS about all of the known security holes in IE.
> SO, RBoS are not supporting Mozilla,
> just because it stores password details?
> Correct me if I'm wrong, but doesn't IE6
> (for Windows) also store passwords?

Consider yourself corrected :) Mozilla and IE both support the ability to store
passwords, however a website can force the browser to not remember them. I
assume RBoS are using this, as I have never even been prompted to remember my
details, and I would assume that it's a basic fundamental security concern.

The issue here is that they are not sending the correct HTTP1.x header to stop
the page from caching. IE incorrectly interprets their request and doesn't
cache, which is what they want. They therefore consider Mozilla browsers to be
insecure, as they obey the standards. They can simply modify their HTTP1.x
headers as I have told them in an email today.

If they sent "Cache-Content: no-store, no-cache" instead of just "Cache-Control:
no-cache", there would be no issue. I have asked them to consider this change
and to re-evaluate Mozilla, based on it. They asked for a solution, and this,
IMO, is it.
(In reply to comment #20)
Good Morning,

My name is Stuart and I work for the Royal Bank of Scotland Group. We just 
wanted to confirm that we have recently completed testing of Mozilla and 
Netscape 6/7 on Digital Banking and are planning to implement support for these 
browsers during March. 

This change will also be made to NatWest OnLine Banking which uses the same 
underlying system. 
Thanks for the reply Stuart, if you need any assistance, please use this as a
reference point as myself, the reporter and the voters will get CC'd and will be
happy to help.
(In reply to comment #21)
> Good Morning,
> 
> My name is Stuart and I work for the Royal Bank of Scotland Group. We just 
> wanted to confirm that we have recently completed testing of Mozilla and 
> Netscape 6/7 on Digital Banking and are planning to implement support for these 
> browsers during March. 
> 
> This change will also be made to NatWest OnLine Banking which uses the same 
> underlying system. 

I am a NatWest customer currently using Mozilla Firefox 0.8. If you require any
end-user assistance in testing the NatWest Online Banking portal, post in either
this bug or this one: http://bugzilla.mozilla.org/show_bug.cgi?id=66911


This is now (finally) working for me.  Can someone else confirm before I mark
this as being fixed?
Confirmed as working for me under Linux/Firefox 0.8.

Excellent.

It still doesn't auto-focus on the first input field of each login page, but
that's not really related.
With great pleasure, I declare this bug FIXED :o)
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
The RBOS situation may be resolved, but NatWest.com is still denying access . . . 
Hi

As posted previously our intention was to expand the number of browsers 
supported by The Royal Bank of Scotland and NatWest internet banking services 
during March.

I am happy to inform you that the RBS update took place on 24 March and the 
NatWest update took place early this morning. We hope that our customers will 
enjoy using our services with Mozilla.

For information, our list of supported browsers is now:

Internet Explorer 4.01 and above
Netscape 4.08 - 7.1
Mozilla 1.5 and above
AOL for Windows

Should you experience any issues we would be grateful of you could post them 
here or contact us directly via our websites.

Regards
Stuart.
Users will experience problems logging on to digital banking if popup blocking
is enabled. The logon window appears and then immediately closes.

To allow the logon window to appear, popups must be allowed for the digital
banking website (no popup blocked indicator is displayed because it appears that
the window that appears when you click 'logon' (a requested popup) creates
another window to contain the login form (an unrequested popup))

To do this in Mozilla 1.6:
1. Edit menu -> Preferences
2. Under Privacy & Security select Popup Windows
3. Click the "Allowed Sites..." button and add "www.rbsdigital.com" to the list
of allowed web sites. The logon window will now appear successfully.

I have notified RBoS of this with the hope it will appear in the service FAQ
http://www.rbs.co.uk/Personal_Finances/Bank_Online/FAQs/technical.htm
(In reply to comment #29)
> Users will experience problems logging on to digital banking if popup blocking
> is enabled. The logon window appears and then immediately closes.

I have to say that I've never noticed this because I have a bookmark set up to
take me directly to the secure site in my main browser window.  The URL is:
https://www.rbsdigital.com/secure/
Reopening this bug. In a move that I completely fail to understand, the
RBSDigital system now refuses to give Firefox access once again. When following
the "Information on supported browsers" link, Firefox is listed.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
To elaborate:

RBS have rewritten their entire online banking service. The new version has
managed, astonishingly, to be even less standards or browser-friendly than the
old one.

This time, the server-side parser (which is giving out entirely different sites
for different UAs, gotta love asp.NET) is specifically blocking Gecko revision 1.8:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20051009 Firefox/1.0.7

works, whereas

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051009 Firefox/1.0.7

is rejected.

 - Chris
(In reply to comment #32)

I can confirm this behaviour, with revision 1.7 of Firefox being allowed to
access the site; I'm using Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.7.10)
Gecko/20050721 Firefox/1.0.4 (Ubuntu package 1.0.6).

I'm also attaching an image illustrating a CSS bug which appears under Firefox.

Obviously we can't tell what setup RBS have exactly, but for what it's worth,
having been an ASP.NET developer I've had very good results with this updated
browsercaps file for serving appropriate code to non-IE browsers:
http://slingfive.com/pages/code/browserCaps/
Attached image CSS bug in Firefox
Also to note that the new site doesn't work with Seamonkey (current build:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20050915
MultiZilla/1.8.1.0r SeaMonkey/1.1a)
I emailed the bank to complain and got the following response

---- begin ----
Thank you for your email to Digital Banking.

Our list of supported browsers are as follows

A PC with Microsoft Windows 95/98/NT/2k/Me/XP Home or Pro or an Apple
Macintosh with OS 8.1 or above 28.8kbps modem (although 56kbps preferred) An
internet account with an Internet Service Provider 
*	Internet Explorer 5.0 and above(Windows only) 
*	Netscape 7.1, 7.2 and 8.0 (8.0 is Windows only) 
*	Mozilla 1.5 and above 
*	AOL 8.0 and above(Windows only) 
*	Firefox Version 1.x 
*	Safari 1.3 (312) + 2.0 (412) (Mac OS 10 only) 
*	Internet Explorer 5.1.7 (Mac OS 8+9 only) 
*	Mozilla 1.2.1 (Mac OS 8+9 only) 
Screen with 800 x 600 Pixel Resolution

At this time we have no plans to support the web browser you have mentioned.


Please accept our apologies for any inconvenience you have been caused in
this matter.
---- end ----

For what it's worth, spoofing the UA to Mozilla 1.6 lets me in to the site.
Now that SeaMonkey 1.0 final has been released, should we try and make another effort to try and get SM accepted?
Raj, sure. When you contact them remember to get them to allow any Gecko browser. Send them a link to <http://developer.mozilla.org/en/docs/Browser_Detection_and_Cross_Browser_Support>. It may help although it is a bit old.
one of the best references/recommendations I've found for encouraging financial institutions to support firefox is located at bankers on-line web site 

http://www.bankersonline.com/security/security_browserthreat070204.html 

It was written in 2004 during the download.ject attack, but much of it still applies today.  This is a good link to send when contacting banks.
RBS now says

http://www.rbs.co.uk/personal/online-banking/g2/need.ashx

Camino and Minefield are both rejected outright. If I spoof exactly as Firefox 2, I can get in just fine (to the extent that I can get in at all without an account).

Tweaking summary and blocking 334967.

Stuart, is there any particular *technical* reason you guys are choosing to completely block access by users of Gecko-based browsers other than Firefox? Please give

http://geckoisgecko.org/

a read if there isn't and consider implementing engine sniffing rather than browser sniffing. If there *is* a technical reason to block non-Firefox Gecko browsers, please tell us what it is so that it can be addressed.
Blocks: geckoisgecko
Summary: rbsdigital.com - deny NS6/Moz → rbsdigital.com - rejects non-Firefox Gecko browsers
I see this is basically the same thing as bug 307525. Same parent company, different URL.

Stuart, my comments over in that bug apply equally to this one.
Confirming problem still exists as of today... :(
Status: REOPENED → RESOLVED
Closed: 19 years ago9 years ago
Resolution: --- → FIXED
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.