Closed
Bug 1440839
Opened 6 years ago
Closed 6 years ago
SFCU (and probably other credit unions) broken due to CDN (cdn1.onlineaccess1.com) using a Symantec cert
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: dholbert, Unassigned)
References
Details
Attachments
(3 files)
screenshot of cert error page at https://cdn1.onlineaccess1.com/
STR: 1. Visit https://www.sfcu.org 2. Type anything into username/password fields (e.g. "aaa"/"aaa") EXPECTED RESULTS: Should be taken to a "login failed" page. ACTUAL RESULTS: You end up at a blank page. Browser Console shows: ======== Loading failed for the <script> with source “https://cdn1.onlineaccess1.com/cdn/base/4.2.3.5C/assets/vendorapp.js”. uux.aspx:27 Loading failed for the <script> with source “https://cdn1.onlineaccess1.com/cdn/5105/4.2.3.5C/000107/assets/resources/en-us.js”. uux.aspx:30 Loading failed for the <script> with source “https://cdn1.onlineaccess1.com/cdn/5105/4.2.3.5C/000107/assets/themejs/theme-q2.js”. uux.aspx:31 ReferenceError: yepnope is not defined uux.aspx:34:2 ReferenceError: loadApplication is not defined uux.aspx:40:13 ======== Alternate STR: 1. Just directly visit https://cdn1.onlineaccess1.com/ and see if you get a cert error. The failure is happening happening because SFCU's CDN -- https://cdn1.onlineaccess1.com/ -- triggers a cert error, because it uses a cert issued by Symantec (prior to June 1 2016 which I think is the current cutoff date for trust). This stopped working when bug 1434300 landed (which is when we stopped trusting Symantec certs). I believe the fix is for this CDN to update its certificate to a different (trusted) issuer. Hence, filing as Tech Evangelism to track the outreach. (I expect there will be more such bugs filed as fallout from bug 1434300.) Chrome Dev Edition hits the same issue, because they've untrusted these Symantec certs as well. (If I understand correctly, I think Chrome's symantec-distrust will make it to their release version quite soon, on March 15 , per https://security.googleblog.com/2017/09/chromes-plan-to-distrust-symantec.html -- that'll effectively break this site for all Chrome users.) I sent an email to SFCU -- I'll post updates here if I hear back.
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Summary: SFCU (and probably other credit unions) broken due to → SFCU (and probably other credit unions) broken due to CDN (cdn1.onlineaccess1.com) using a Symantec cert
|
|
Reporter | |
Comment 2•6 years ago
|
||
|
|
Reporter | |
Comment 3•6 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #0) > 2. Type anything into username/password fields (e.g. "aaa"/"aaa") > [...] > ACTUAL RESULTS: > You end up at a blank page. To clarify -- this same problem happens if you type in a *valid* username/password, too. That's just not as easy to test. :)
|
|
Reporter | |
Comment 4•6 years ago
|
||
|
||
Comment 5•6 years ago
|
||
Gonna close this as invalid, since we don't expect to do outreach for these types of sites, per JCJones. Thanks for the report, Daniel!
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID
|
|
Reporter | |
Comment 6•6 years ago
|
||
OK. I did personally do some outreach, per end of comment 0, but I haven't heard anything back yet. :)
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•