293495 - att.com / sbc.com - bad browser-sniffing to determine whether browser supports 128-bit encryption

Status: RESOLVED INVALID

(Tech Evangelism Graveyard :: English US, defect)

Description

[Will Budreau]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414 Firefox/1.0.3

On SBC site, pressing link to check that supposedly checks whether my browser
supports 128 Bit ssl brings me to the attached URL, reporting that I do not have
a browser that supports 128 bit encryption.

Unfortuatnely, it is not easy as a user to find out if the browser actually does
support 128 bit encryption, so if I didn't know better, I would sad-facedly
think it was the browser that was lacking support.

Reproducible: Always

Steps to Reproduce:




Message sent online at
https://www02.sbc.com/ContactUs/EmailUs/form/1,,,00.html?id=405&from=

Im using Mozilla Firefox version 1.0.3 which supports 128 bit encryption.
However, when I go to the following page, I am told:

https://www06.sbc.com/myaccount/encryption.jsp

"Browser Encryption Results:

Your browser in not using 128-bit encryption. To access our online services,
click on your internet browser icon below. Follow the instructions at the site
to update your browser."

I'm unable to register with the site, not sure if it's because my phone is still
being activated or if it's a browser problem. For some more information on
browser security, please see:
http://www.mozilla.org/support/firefox/options#connection

Plus there's a minor typo: "in" should be "is"

Looking forward to using the site to access SBC's services!

Comment 1

[Chris Lawson (gone)]

Looks to me like SBC has changed a lot of things since this was filed. Does logging in to

https://cprodmasx.att.com/commonLogin/igate_wam/controller.do?TAM_OP=login&URL=/account&HOSTNAME=cprodmasx.att.com

work now?

Comment 2

[Chris Lawson (gone)]

Heh. I dunno if the original bug is still extant, but they're definitely using some pretty busted browser sniffing to detect what is and isn't capable of 128-bit encryption:

<SCRIPT language="Javascript">
//
// Browser Detection
//
isMac = (navigator.appVersion.indexOf("Mac")!=-1) ? true : false;
NS4 = (document.tags) ? true : false;
IEmac = ((document.all)&&(isMac)) ? true : false;
IE4plus = (document.all) ? true : false;
IE4 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 4.")!=-1)) ? true : false;
IE5 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 5.")!=-1)) ? true : false;
IE6 = ((document.all)&&(navigator.appVersion.indexOf("MSIE 6.")!=-1)) ? true : false;
ver4 = (NS4 || IE4plus) ? true : false;
NS6 = (!document.layers) && (navigator.userAgent.indexOf('Netscape')!=-1)?true:false;

IE5plus = IE5 || IE6;
IEMajor = 0;

var ieMinorVersion;
var nsMinorVersion;


if (IE4plus)
{
	
	var versionString = navigator.appVersion.split(";");
	
	for(i = 0; i < versionString.length; i++)
	{
		if(versionString[i].indexOf("MSIE") != -1)
		{
			var version = versionString[i];

			ieMinorVersion = parseFloat(version.substring(5, version.length));
		}
	}
}
else if (NS4)
{
	var versionString = navigator.appVersion.split(";");
	
	for(i = 0; i < versionString.length; i++)
	{
		if(versionString[i].indexOf("Netscape") != -1)
		{
			var version = versionString[i];

			nsMinorVersion = parseFloat(version.substring(9, version.length)); 
		}
	}
}
</SCRIPT>

Confirming and bumping severity, since AT&T has become HUGE.

Neither Firefox 2 nor Camino trunk passes their "test", and it doesn't appear to me any other modern browser besides IE will, either.

cl

Comment 3

[Chris Lawson (gone)]

Strangely, they don't seem to care that my browser fails their test; I can log in and use my online account access just fine ;)

Comment 4

[Adam Stevenson [:adamopenweb]]

Site no longer exists, closing.