Closed Bug 448306 Opened 17 years ago Closed 16 years ago

Page fails to load (returns empty HTML)

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Version:
3.0 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jim, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) Gecko/2008070208 Firefox/3.0.1 Firefox is unusable for certain government sites which have valid certs (but the exact cert is not listed in Firefox normal cert store). For further information, see http://forums.mozillazine.com/viewtopic.php?t=648893 See particular reports by cuppettcj. Reproducible: Always Steps to Reproduce: 1. select www.govtrip.com 2. click on Login button under "Login to GovTrip" - should redirect to https://etsproweb.govtrip.com/wl/site/index.jsp 3. right click on same link - select open in new tab 4. view page source - result is "<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title></title></head><body></body></html>" 5. perform tasks 1-4 in IE 6 or 7 - see "expected Results" Actual Results: <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title></title></head><body></body></html> Expected Results: <HTML> <HEAD> <TITLE>GovTrip System </TITLE> <LINK REL="STYLESHEET" HREF="iestyle.css"> <SCRIPT lANGUAGE ="Javascript"> <!-- var hasDBsign = false; //--> </SCRIPT> <SCRIPT LANGUAGE="VBScript"> <!-- on error resume next hasDBsign = NOT IsNull(CreateObject("DBsignWeb.DbsWebCtrl")) //--> </SCRIPT> <SCRIPT LANGUAGE="Javascript"> <!-- var i; for (i = 0; i < navigator.plugins.length; i++) { if (navigator.plugins[i].name == "DBsign Web Signer") hasDBsign = true; } hasDBsign = true; if ( !hasDBsign ) { location.replace("/DBsign/index.htm"); } if (document.images) { accept_up = new Image(); accept_up.src = "grphx/but_accept_up.gif"; accept_down = new Image(); accept_down.src = "grphx/but_accept_down.gif"; } function img_act(imgName) { if (document.images) { imgDown = eval(imgName + "_down.src"); document[imgName].src = imgDown; } } function img_inact(imgName) { if (document.images) { imgUp = eval(imgName + "_up.src"); document[imgName].src = imgUp; } } //--> </script> </HEAD> <BODY> <CENTER>&nbsp<p> <img src='grphx/gsa_printlogo.gif' width=300 height=103 border=0 alt='Welcome to the GovTrip System'> <p> <TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0" WIDTH="569"> <TR> <TD WIDTH="2" BGCOLOR="#40708D"><IMG SRC="grphx/blank.gif" WIDTH="2" HEIGHT="4" BORDER="0" ALT=""></TD> <TD WIDTH="565" VALIGN="TOP"> <TABLE CELLPADDING="0" CELLSPACING="0" WIDTH="565" BORDER="0"> <form action="login.jsp"> <TR> <TD WIDTH="565" VALIGN="TOP" COLSPAN="3" BGCOLOR="#40708D"><IMG SRC="grphx/gsa_boxT_prv.gif" WIDTH=365 HEIGHT=23 BORDER=0 ALT="Privacy and Ethics Policy"></TD> </TR> <TR> <TD WIDTH="565" VALIGN="TOP" COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="11" BORDER="0" ALT=""></TD> </TR> <TR> <TD WIDTH="8" VALIGN="TOP"><IMG SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> <TD WIDTH="549" VALIGN="TOP" CLASS="text11black"><font color="#990000">Please read the following government Privacy & Ethics Policy concerning the GovTrip website, travel, and usage. By signing in to the GovTrip System, you agree to the terms and conditions of use.</FONT> <HR> <P><textarea name="privacyWarning" cols="65" rows="13" warp="physical" READONLY="yes">WARNING This is a U.S. Federal Government information system that is "FOR OFFICIAL USE ONLY". Unauthorized access is a violation of U.S. Law and may result in criminal or administrative penalties. Users shall not access other users' or system files without proper authority. Absence of access controls IS NOT authorization for access! Information systems and equipment related to the eTravel Service are intended for communication, transmission, processing, and storage of U.S. Government information. These systems and equipment are subject to monitoring by law enforcement and authorized officials. Monitoring may result in the acquisition, recording, and analysis of all data being communicated, transmitted, processed, or stored in this system by law enforcement and authorized officials. Use of this system constitutes consent to such monitoring. PRIVACY ACT NOTICE This system contains information protected under the provisions of the privacy act of 1974 (Public Law 93-579). Any privacy information displayed on the screen or printed must be protected from unauthorized disclosure. Employees who violate privacy safeguards may be subject to disciplinary actions, a fine of up to $5,000, or both. The information requested in GovTrip is collected pursuant to Executive Order 9397 and Chapter 57, Title 5 United States Code for the purpose of recording travel information provided by the user to create travel itineraries, reserve any method or mode of travel accommodations, and claim entitlements and allowances prescribed in applicable federal travel regulations. The purpose of the collection of this information is to establish a comprehensive travel services system which enables travel service providers under contract with the Federal government to authorize, issue, and account for travel and travel reimbursements provided to individuals on official Federal government business. Routine uses which may be made of the collected information and other financial account information in the system(s) of record entitled "Contracted Travel Services Program GSA/GOVT-4" are as follows: (1) transfers to a Federal, State, local or foreign agency responsible for investigating, prosecuting, enforcing, or carrying out a statute, rule, regulation, or order, where agencies become aware of a violation or potential violation of civil or criminal law or regulation; (2) pursuant to a request of another Federal agency or a court when the Federal government is party to judicial proceeding; (3) to a Member of Congress or a congressional staff member in response to an inquiry from that congressional office made at the request of the individual who is the subject of the record; (4) to a Federal agency employee, expert, consultant, or contractor in performing a Federal duty for purposes of authorizing, arranging, and/or claiming reimbursement for official travel, including, but not limited to, traveler profile information; (5) to a credit card company for billing purposes, including collection of past due amounts; (6) to a Federal agency, expert, consultant, or contractor for accumulating reporting data, conducting surveys, and monitoring the system in the performance of a Federal duty; (7) to a Federal agency by the contractor in the form of itemized statements or invoices, and reports of all transactions, including refunds and adjustments to enable audits of charges to the Federal government; (8) to a Federal agency, in response to its request, in connection with the hiring or retention of any employee to the extend that the information is relevant and necessary to the requesting agency's decision on the matter; (9) to an authorized appeal or grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator, or other duly authorized official engaged in investigation or settlement of a grievance, complaint, or appeal filed by an employee to whom the information pertains; (10) to the Office of Personnel Management (OPM) in accordance with the agency's responsibility for evaluation of Federal personnel management; (11) to officials of labor organizations recognized under 5 U.S.C. Chapter 71 when relevant and necessary to their duties of exclusive representation concerning personnel policies, practices, and matters affecting working conditions; (12) to a travel services provider for billing and refund purposes; (13) to a carrier or an insurer for settlement of an employee claim for loss of or damage to personal property incident to service under 31 U.S.C. & 3721, or to a party involved in a tort claim against the Federal government resulting from an accident involving a traveler; (14) to a credit reporting agency or credit bureau, as allowed and authorized by law, for the purpose of adding to a credit history file when it has been determined that an individual's account with a creditor with input to the system is delinquent; (15) summary or statistical data from the system with no reference to an identifiable individual may be released publicly; (16) any other use specified by GSA in the system of records entitled "Contracted Travel Services Program GSA/GOVT-4" as published in the Federal Register periodically by GSA. Information requested is voluntary, however, failure to provide the information may nullify the ability to book online travel reservations. GovTrip Rules of Behavior All users will be provided a copy of the rules of behavior and will have to acknowledge them in accordance with local agency policy prior to being granted access to the system. A-1. Introduction The following rules of behavior shall be followed by all users of the GovTrip System with respect to its individual components. The GovTrip System will be a United States General Services Admin Federal Government computer system that is ?FOR OFFICIAL USE ONLY.? The system shall be subject to monitoring; therefore, no expectation of privacy shall be assumed. Individuals found performing unauthorized activities are subject to disciplinary action including criminal prosecution. The rules delineate responsibilities of and expectations for all individuals with user accounts to be established for the GovTrip System. Non-compliance with these rules may result in denial of access to the system and/or other actions that are commensurate with the non-compliant activity. A-2. Access GovTrip System users shall obey the following access rules: Only use data for which you have been granted authorization. Do not retrieve information for someone who does not have authority to access the information; only give information to personnel who have access authority and have a need to know for their GSA (or other Federal Agency) jobs. Do not access, research, or change any user account, file, directory, table, or record not required to perform your OFFICIAL duties. Do not store sensitive files on a PC hard drive if access to the PC or files cannot be physically or technically limited. A-2.1 Account Registration A-2.2 Logging On To The System All users shall have a unique User Identification/Account name and password. Access shall be granted based on authenticating the account name and password entered by the user. Multiple (e.g., 3) successive failed login attempts within a specified time period (e.g., one hour) may cause the account to lock, denying the user access to the system until the account is unlocked. A-2.3 Information Accessibility The GovTrip System shall restrict access to information based on the type and identity of the user. However, regardless of the type of user, access shall be restricted to the minimum level necessary to perform the job. Government Clients, Contractors/Vendors/Industry Partners, and Federal Employees shall access only those documents they created and those other documents to which they have a valid need-to-know and to which they have been granted access through the GovTrip application (e.g., based on their permission level, organization access, and/or group access). Federal employees may be afforded additional privileges based on the function they perform (contracting officer, customer service representative, funding manager, etc.). A-3. Government Clients, Contractors, Vendors, And Industry Partners A-3.1 Accountability GovTrip System users shall obey the following accountability rules: Behave in an ethical, technically proficient, informed, and trustworthy manner. Logout of the system whenever you leave the vicinity of your PC. A-3.2 Confidentiality Be aware of the sensitivity of electronic and hardcopy information, and protect it accordingly. Do not allow confidential information to remain on the PC screen when someone who is not authorized to that data is in the vicinity. Store hardcopy reports/storage media containing confidential information in a locked room or cabinet. Erase sensitive data on storage media, prior to reusing or disposing of the media. A-3.3 Integrity Protect your system against viruses and similar malicious programs. Observe all software license agreements. Do not violate Federal copyright laws. Do not install or use unauthorized software within the system libraries or folders. Do not use freeware, shareware or public domain software on/with the system without your manager?s permission and without scanning it for viruses first. Follow industry standard procedures for maintaining and managing GovTrip hardware, oper?at?ing system software, application software, and/or database software and database tables. A-3.4 Application Rules Passwords Government clients, contractors, vendors, and industry partners shall abide by the password generation and protection guidelines of the agency they are supporting. At a minimum, users should follow these best practices: Protect your password(s) from disclosure. You are responsible for any information system activity associated with your user ID and password. Do not share your password with others or reveal it to anyone. If there is an operational need to do so, immediately change the password after the need has passed. Do not post your password in your work area or hard code it into scripts. Do not use another person?s user ID and password. Change your password if you think your password is known by an unauthorized individual and immediately notify your Information System Security Officer (ISSO). Use unique passwords for each system and application you access. NEVER give your password out over the phone. Be alert to others who may try to obtain your password. Sometimes hackers pose as a system administrator. A hacker may randomly call a user and say that something is wrong on the system to get arbitrary access to your system. They may tell you that they need your password in order to issue you a new one. Always remember that system administrators DO NOT need your password in order to issue you a new password. Do not write down your password(s). Memorize them using easy to remember phrases. Do not re-cycle passwords by changing them at the required interval and using a few of them over and over in turn, or making minor changes to passwords by adding a number to the base password (e.g., password is changed to password1, password1 is changed to password2). A-3.5 Backups Plan for contingencies such as physical disasters, loss of processing, and disclosure of information by preparing alternate work strategies and system recovery mechanisms. Make backups of systems and files on a regular, defined basis. If possible, store backups away from the system in a secure environment. A-3.6 Reporting Contact and inform your ISSO that you have identified an IT security incident and you will begin the reporting process by providing an IT Incident Reporting Form regarding this incident. If you cannot get in contact with the ISSO, contact the Information System Security Manager (ISSM). NEVER assume that someone else has already reported an incident. The risk of an incident going unreported far outweighs the possibility that an incident gets reported more than once. A-4. FEDERAL EMPLOYEES A-4.1 Accountability GovTrip System users shall obey the following accountability rules: Behave in an ethical, technically proficient, informed, and trustworthy manner. Be alert to threats and vulnerabilities in the security of the system. Report all security incidents IAW CIO IT Security Procedural Guide 01-02, Handling IT Security Incidents. Differentiate tasks and functions to ensure that no one person has sole access to or control over important resources. Logout of the system whenever you leave the vicinity of your PC. A-4.2 Confidentiality Be aware of the sensitivity of electronic and hardcopy information, and protect it accordingly. Do not allow confidential information to remain on the PC screen when someone who is not authorized to that data is in the vicinity. Store hardcopy reports/storage media containing confidential information in a locked room or cabinet. Erase sensitive data on storage media, prior to reusing or disposing of the media. A-4.3 Integrity Protect your system against viruses and similar malicious programs. Do not install or use unauthorized software within the system libraries or folders. Do not use freeware, shareware or public domain software on/with the system without your manager?s permission and without scanning it for viruses first. Observe all software license agreements. Do not violate Federal copyright laws. Follow industry standard procedures for maintaining and managing GovTrip hardware, oper?ating system software, application software, and/or database software and database tables. Do not use GovTrip for personal use. A-4.4 Application Rules Passwords GovTrip System users shall abide by the guidelines found in CIO IT Security Procedural Guide 01-01, Password Generation and Protection. Passwords shall: Be changed or expire in 90 days or less. Contain: At least 8 characters. A combination of alphabetic, numeric, and special characters. A nonnumeric in the first and last position. No more than three identical consecutive characters in any position from the previous password Not contain: Any dictionary word in any language. Any proper noun or the name of any person, pet, child, or fictional character. Any employee serial number, Social Security number, birth date, phone number, or any information that could be readily guessed about the creator of the password. Any simple pattern of letters or numbers, such as ?qwerty?, or ?xyz123?. Any word, noun, or name spelled backwards or appended with a single digit or with a two-digit ?year? string, such as 98xyz123. Pass phrases, if used in addition to or instead of passwords, should follow the same guidelines. Protect your password(s) from disclosure. You are responsible for any information system activity associated with your user ID and password. Do not share your password with others or reveal it to anyone. If there is an operational need to do so, immediately change the password after the need has passed. Do not post your password in your work area or hard code it into scripts. Do not use another person?s user ID and password. Change your password if you think your password is known by an unauthorized individual and immediately notify your Information System Security Officer (ISSO). Use unique passwords for each system and application you access. NEVER give your password out over the phone. Be alert to others who may try to obtain your password. Sometimes hackers pose as a system administrator. A hacker may randomly call a user and say that something is wrong on the system to get arbitrary access to your system. They may tell you that they need your password in order to issue you a new one. Always remember that system administrators DO NOT need your password in order to issue you a new password. Do not write down your password(s). Memorize them using easy to remember phrases. Do not re-cycle passwords by changing them at the required interval and using a few of them over and over in turn, or making minor changes to passwords by adding a number to the base password (e.g., password is changed to password1, password1 is changed to password2). A-4.5 Session Time Out GovTrip system users shall utilize a screen saver with password protection set to suspend operations at no greater than 15-minutes of inactivity. This will prevent inappropriate access and viewing of any material displayed on your screen after some period of inactivity. The GovTrip system will also implement system-based timeouts that will require the user to reauthenticate to the system after specified periods of inactivity. A-4.6 Backups Plan for contingencies such as physical disasters, loss of processing, and disclosure of information by preparing alternate work strategies and system recovery mechanisms. Make backups of systems and files on a regular, defined basis. If possible, store backups away from the system in a secure environment. A-4.7 Hardware Avoid placing system equipment near obvious environmental hazards (e.g., water pipes). Do not eat or drink near system equipment. Keep an inventory of all system equipment. Keep records of maintenance/repairs performed on system equipment. A-4.8 Awareness Participate in organization-wide security training as required. Read and adhere to security information pertaining to system hardware and software. A-4.9 Reporting Contact and inform your ISSO that you have identified an IT security incident and you will begin the reporting process by providing an IT Incident Reporting Form regarding this incident. If you cannot get in contact with the ISSO, contact the Information System Security Manager (ISSM). Contact the Office of the Senior Agency Information Security Officer, if you cannot get in contact with the ISSO or ISSM. Report security incidents IAW CIO IT Security Procedural Guide 01-02, Handling IT Security Incidents. NEVER assume that someone else has already reported an incident. The risk of an incident going unreported far outweighs the possibility that an incident gets reported more than once. Seek assistance and/or challenge unescorted strangers in areas where the system is being used. A-4.10 Privileged Users Protect the supervisor or system administrator password. Avoid instances where the same individual has responsibility for several functions (i.e., transaction entry and transaction approval). Watch for unscheduled, unusual, and unauthorized programs. Help train system users on the appropriate use and security of the system. Establish protective controls to ensure the accountability, integrity, confidentiality, and availability of the system. Replace passwords when a compromise is suspected. Delete user accounts as quickly as possible from the time that the user is no longer authorized system. Passwords forgotten by their owner should be replaced, not reissued. Terminate user accounts when a user transfers or has been terminated. If the user has authority to grant authorizations to others, review these other authorizations. Retrieve any devices used to gain access to the system or equipment. Cancel logon IDs and passwords, and delete or reassign related active and back up files. Use a suspend program to prevent an unauthorized user from logging on with the current user's ID if the system is left on and unattended. Verify the identity of the user when resetting passwords. This can be done either in person or having the user answer a question that can be compared to one in the administrator?s database. A-4.11 Remote Access GovTrip System users requiring remote access have already gained access to a network either through their office or through an authorized GSA Remote Access Server (RAS). If a user has access to a RAS, they obtained that access through their local GSA LAN administrator. It is that local administrator?s responsibility to obtain an acknowledgement of the Rules of Behavior associated with remote access. Refer to CIO-IT Security Procedural Guide 01-11, Remote Access for specific guidelines. I have read and agree to abide by the GovTrip System Rules of Behavior. </textarea> <HR> </TD> <TD WIDTH="8" VALIGN="TOP"><IMG SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> </TR> <TR> <TD WIDTH="565" VALIGN="TOP" COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="8" BORDER="0" ALT=""></TD> </TR> <TR> <TD WIDTH="8" VALIGN="TOP"><IMG SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> <TD WIDTH="549" VALIGN="TOP" ALIGN="MIDDLE" CLASS="text11black"> <TABLE CELLPADDING="0" CELLSPACING="0" WIDTH="150" BORDER="0"> <TD WIDTH="75" VALIGN="MIDDLE" ALIGN="CENTER"><A HREF="/wl/site/j_security_check?j_uri=/wl/site/index.jsp" onClick="document.location.href='http://www.govtrip.com/govtrip/site/index.jsp'" TARGET="_blank" onMouseDown="img_act('accept');" onMouseOut="img_inact('accept');" onMouseUp="img_inact('accept');"><img name="accept" src="grphx/but_accept_up.gif" alt="Accept" width="69" height="27" border="0"></A></TD> <TD WIDTH="75" VALIGN="MIDDLE" ALIGN="CENTER"><INPUT TYPE="BUTTON" onClick="location.href='http://www.govtrip.com/govtrip/site/index.jsp'" VALUE="Decline" ID="loginButton"></TD> </TABLE> </TD> <TD WIDTH="8" VALIGN="TOP"><IMG SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> </TR> <TR> <TD WIDTH="565" VALIGN="TOP" COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="11" BORDER="0" ALT=""></TD> </TR> </TABLE> </TD> <TD WIDTH="2" BGCOLOR="#40708D"><IMG SRC="grphx/blank.gif" WIDTH="2" HEIGHT="4" BORDER="0" ALT=""></TD> </TR> <TR> <TD WIDTH="569" COLSPAN="3" VALIGN="TOP"><IMG SRC="grphx/gsa_bar_lgSlate.gif" WIDTH=569 HEIGHT=7 BORDER=0 ALT=""></TD> </TR> </form> </TABLE> </CENTER> </BODY></HTML> This may be related to a failure to validate a valid certificate.
Version: unspecified → 3.0 Branch
This problem did not occur in FF 2
Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1a2pre) Gecko/2008072717 Minefield/3.1a2pre Works fine for me. The first time I load the "Log in" page, I get a security error page, which is expected since the site does not use a valid PKI cert. But if I add an exception for the cert, I get a page full of legalese, not a blank page. What happens if you load another page with a cert that has similar problems, such as https://www-stage.authstage.mozilla.com/?
(In reply to comment #0) > User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) > Gecko/2008070208 Firefox/3.0.1 > Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.1) > Gecko/2008070208 Firefox/3.0.1 > > Firefox is unusable for certain government sites which have valid certs (but > the exact cert is not listed in Firefox normal cert store). For further > information, see http://forums.mozillazine.com/viewtopic.php?t=648893 See > particular reports by cuppettcj. > > Reproducible: Always > > Steps to Reproduce: > 1. select www.govtrip.com > 2. click on Login button under "Login to GovTrip" - should redirect to > https://etsproweb.govtrip.com/wl/site/index.jsp > 3. right click on same link - select open in new tab > 4. view page source - result is "<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 > Transitional//EN"><html><head><title></title></head><body></body></html>" > 5. perform tasks 1-4 in IE 6 or 7 - see "expected Results" > Actual Results: > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 > Transitional//EN"><html><head><title></title></head><body></body></html> > > Expected Results: > > > > > <HTML> > <HEAD> > <TITLE>GovTrip System > </TITLE> > <LINK REL="STYLESHEET" HREF="iestyle.css"> > <SCRIPT lANGUAGE ="Javascript"> > <!-- > var hasDBsign = false; > //--> > </SCRIPT> > <SCRIPT LANGUAGE="VBScript"> > <!-- > on error resume next > hasDBsign = NOT IsNull(CreateObject("DBsignWeb.DbsWebCtrl")) > //--> > </SCRIPT> > <SCRIPT LANGUAGE="Javascript"> > <!-- > var i; > > for (i = 0; i < navigator.plugins.length; i++) { > if (navigator.plugins[i].name == "DBsign Web Signer") > hasDBsign = true; > } > > > hasDBsign = true; > > > if ( !hasDBsign ) { > location.replace("/DBsign/index.htm"); > } > > > if (document.images) > { > accept_up = new Image(); > accept_up.src = "grphx/but_accept_up.gif"; > accept_down = new Image(); > accept_down.src = "grphx/but_accept_down.gif"; > } > > function img_act(imgName) > { > if (document.images) > { > imgDown = eval(imgName + "_down.src"); > document[imgName].src = imgDown; > } > } > > function img_inact(imgName) > { > if (document.images) > { > imgUp = eval(imgName + "_up.src"); > document[imgName].src = imgUp; > } > } > //--> > </script> > </HEAD> > <BODY> > <CENTER>&nbsp<p> > <img src='grphx/gsa_printlogo.gif' width=300 height=103 border=0 alt='Welcome > to the GovTrip System'> > <p> > <TABLE CELLPADDING="0" CELLSPACING="0" BORDER="0" WIDTH="569"> > <TR> > <TD WIDTH="2" BGCOLOR="#40708D"><IMG > SRC="grphx/blank.gif" WIDTH="2" HEIGHT="4" BORDER="0" ALT=""></TD> > <TD WIDTH="565" VALIGN="TOP"> > <TABLE CELLPADDING="0" CELLSPACING="0" > WIDTH="565" BORDER="0"> > <form action="login.jsp"> > <TR> > <TD WIDTH="565" VALIGN="TOP" > COLSPAN="3" BGCOLOR="#40708D"><IMG SRC="grphx/gsa_boxT_prv.gif" WIDTH=365 > HEIGHT=23 BORDER=0 ALT="Privacy and Ethics Policy"></TD> > </TR> > > <TR> > <TD WIDTH="565" VALIGN="TOP" > COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="11" BORDER="0" > ALT=""></TD> > </TR> > > <TR> > <TD WIDTH="8" VALIGN="TOP"><IMG > SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> > <TD WIDTH="549" VALIGN="TOP" > CLASS="text11black"><font color="#990000">Please read the following government > Privacy & Ethics Policy concerning the GovTrip website, travel, and usage. By > signing in to the GovTrip System, you agree to the terms and conditions of > use.</FONT> > <HR> > <P><textarea name="privacyWarning" > cols="65" rows="13" warp="physical" READONLY="yes">WARNING > This is a U.S. Federal Government information system that is "FOR OFFICIAL USE > ONLY". Unauthorized access is a violation of U.S. Law and may result in > criminal or administrative penalties. Users shall not access other users' or > system files without proper authority. Absence of access controls IS NOT > authorization for access! Information systems and equipment related to the > eTravel Service are intended for communication, transmission, processing, and > storage of U.S. Government information. These systems and equipment are subject > to monitoring by law enforcement and authorized officials. Monitoring may > result in the acquisition, recording, and analysis of all data being > communicated, transmitted, processed, or stored in this system by law > enforcement and authorized officials. Use of this system constitutes consent to > such monitoring. > > PRIVACY ACT NOTICE > This system contains information protected under the provisions of the privacy > act of 1974 (Public Law 93-579). Any privacy information displayed on the > screen or printed must be protected from unauthorized disclosure. Employees who > violate privacy safeguards may be subject to disciplinary actions, a fine of up > to $5,000, or both. > > The information requested in GovTrip is collected pursuant to Executive Order > 9397 and Chapter 57, Title 5 United States Code for the purpose of recording > travel information provided by the user to create travel itineraries, reserve > any method or mode of travel accommodations, and claim entitlements and > allowances prescribed in applicable federal travel regulations. The purpose of > the collection of this information is to establish a comprehensive travel > services system which enables travel service providers under contract with the > Federal government to authorize, issue, and account for travel and travel > reimbursements provided to individuals on official Federal government business. > Routine uses which may be made of the collected information and other financial > account information in the system(s) of record entitled "Contracted Travel > Services Program GSA/GOVT-4" are as follows: > (1) transfers to a Federal, State, local or foreign agency responsible for > investigating, prosecuting, enforcing, or carrying out a statute, rule, > regulation, or order, where agencies become aware of a violation or potential > violation of civil or criminal law or regulation; > (2) pursuant to a request of another Federal agency or a court when the > Federal government is party to judicial proceeding; > (3) to a Member of Congress or a congressional staff member in response to an > inquiry from that congressional office made at the request of the individual > who is the subject of the record; > (4) to a Federal agency employee, expert, consultant, or contractor in > performing a Federal duty for purposes of authorizing, arranging, and/or > claiming reimbursement for official travel, including, but not limited to, > traveler profile information; > (5) to a credit card company for billing purposes, including collection of past > due amounts; > (6) to a Federal agency, expert, consultant, or contractor for accumulating > reporting data, conducting surveys, and monitoring the system in the > performance of a Federal duty; > (7) to a Federal agency by the contractor in the form of itemized statements or > invoices, and reports of all transactions, including refunds and adjustments to > enable audits of charges to the Federal government; > (8) to a Federal agency, in response to its request, in connection with the > hiring or retention of any employee to the extend that the information is > relevant and necessary to the requesting agency's decision on the matter; > (9) to an authorized appeal or grievance examiner, formal complaints examiner, > equal employment opportunity investigator, arbitrator, or other duly authorized > official engaged in investigation or settlement of a grievance, complaint, or > appeal filed by an employee to whom the information pertains; > (10) to the Office of Personnel Management (OPM) in accordance with the > agency's responsibility for evaluation of Federal personnel management; > (11) to officials of labor organizations recognized under 5 U.S.C. Chapter 71 > when relevant and necessary to their duties of exclusive representation > concerning personnel policies, practices, and matters affecting working > conditions; > (12) to a travel services provider for billing and refund purposes; > (13) to a carrier or an insurer for settlement of an employee claim for loss of > or damage to personal property incident to service under 31 U.S.C. & 3721, or > to a party involved in a tort claim against the Federal government resulting > from an accident involving a traveler; > (14) to a credit reporting agency or credit bureau, as allowed and authorized > by law, for the purpose of adding to a credit history file when it has been > determined that an individual's account with a creditor with input to the > system is delinquent; > (15) summary or statistical data from the system with no reference to an > identifiable individual may be released publicly; > (16) any other use specified by GSA in the system of records entitled > "Contracted Travel Services Program GSA/GOVT-4" as published in the Federal > Register periodically by GSA. Information requested is voluntary, however, > failure to provide the information may nullify the ability to book online > travel reservations. > > > > GovTrip Rules of Behavior > All users will be provided a copy of the rules of behavior and will have to > acknowledge them in accordance with local agency policy prior to being granted > access to the system. > A-1. Introduction > The following rules of behavior shall be followed by all users of the GovTrip > System with respect to its individual components. The GovTrip System will be a > United States General Services Admin Federal Government computer system that is > ?FOR OFFICIAL USE ONLY.? The system shall be subject to monitoring; therefore, > no expectation of privacy shall be assumed. Individuals found performing > unauthorized activities are subject to disciplinary action including criminal > prosecution. > The rules delineate responsibilities of and expectations for all individuals > with user accounts to be established for the GovTrip System. Non-compliance > with these rules may result in denial of access to the system and/or other > actions that are commensurate with the non-compliant activity. > A-2. Access > GovTrip System users shall obey the following access rules: > Only use data for which you have been granted authorization. > Do not retrieve information for someone who does not have authority to access > the information; only give information to personnel who have access authority > and have a need to know for their GSA (or other Federal Agency) jobs. > Do not access, research, or change any user account, file, directory, table, or > record not required to perform your OFFICIAL duties. > Do not store sensitive files on a PC hard drive if access to the PC or files > cannot be physically or technically limited. > A-2.1 Account Registration > A-2.2 Logging On To The System > All users shall have a unique User Identification/Account name and password. > Access shall be granted based on authenticating the account name and password > entered by the user. Multiple (e.g., 3) successive failed login attempts within > a specified time period (e.g., one hour) may cause the account to lock, denying > the user access to the system until the account is unlocked. > A-2.3 Information Accessibility > The GovTrip System shall restrict access to information based on the type and > identity of the user. However, regardless of the type of user, access shall be > restricted to the minimum level necessary to perform the job. > Government Clients, Contractors/Vendors/Industry Partners, and Federal > Employees shall access only those documents they created and those other > documents to which they have a valid need-to-know and to which they have been > granted access through the GovTrip application (e.g., based on their permission > level, organization access, and/or group access). Federal employees may be > afforded additional privileges based on the function they perform (contracting > officer, customer service representative, funding manager, etc.). > A-3. Government Clients, Contractors, Vendors, And Industry Partners > A-3.1 Accountability > GovTrip System users shall obey the following accountability rules: > Behave in an ethical, technically proficient, informed, and trustworthy manner. > Logout of the system whenever you leave the vicinity of your PC. > A-3.2 Confidentiality > Be aware of the sensitivity of electronic and hardcopy information, and protect > it accordingly. > Do not allow confidential information to remain on the PC screen when someone > who is not authorized to that data is in the vicinity. > Store hardcopy reports/storage media containing confidential information in a > locked room or cabinet. > Erase sensitive data on storage media, prior to reusing or disposing of the > media. > A-3.3 Integrity > Protect your system against viruses and similar malicious programs. > Observe all software license agreements. Do not violate Federal copyright laws. > Do not install or use unauthorized software within the system libraries or > folders. Do not use freeware, shareware or public domain software on/with the > system without your manager?s permission and without scanning it for viruses > first. > Follow industry standard procedures for maintaining and managing GovTrip > hardware, oper?at?ing system software, application software, and/or database > software and database tables. > A-3.4 Application Rules > Passwords > Government clients, contractors, vendors, and industry partners shall abide by > the password generation and protection guidelines of the agency they are > supporting. At a minimum, users should follow these best practices: > Protect your password(s) from disclosure. You are responsible for any > information system activity associated with your user ID and password. > Do not share your password with others or reveal it to anyone. If there is an > operational need to do so, immediately change the password after the need has > passed. > Do not post your password in your work area or hard code it into scripts. > Do not use another person?s user ID and password. > Change your password if you think your password is known by an unauthorized > individual and immediately notify your Information System Security Officer > (ISSO). > Use unique passwords for each system and application you access. > NEVER give your password out over the phone. > Be alert to others who may try to obtain your password. Sometimes hackers pose > as a system administrator. A hacker may randomly call a user and say that > something is wrong on the system to get arbitrary access to your system. They > may tell you that they need your password in order to issue you a new one. > Always remember that system administrators DO NOT need your password in order > to issue you a new password. > Do not write down your password(s). Memorize them using easy to remember > phrases. > Do not re-cycle passwords by changing them at the required interval and using a > few of them over and over in turn, or making minor changes to passwords by > adding a number to the base password (e.g., password is changed to password1, > password1 is changed to password2). > A-3.5 Backups > Plan for contingencies such as physical disasters, loss of processing, and > disclosure of information by preparing alternate work strategies and system > recovery mechanisms. > Make backups of systems and files on a regular, defined basis. > If possible, store backups away from the system in a secure environment. > A-3.6 Reporting > Contact and inform your ISSO that you have identified an IT security incident > and you will begin the reporting process by providing an IT Incident Reporting > Form regarding this incident. If you cannot get in contact with the ISSO, > contact the Information System Security Manager (ISSM). > NEVER assume that someone else has already reported an incident. The risk of an > incident going unreported far outweighs the possibility that an incident gets > reported more than once. > A-4. FEDERAL EMPLOYEES > A-4.1 Accountability > GovTrip System users shall obey the following accountability rules: > Behave in an ethical, technically proficient, informed, and trustworthy manner. > Be alert to threats and vulnerabilities in the security of the system. Report > all security incidents IAW CIO IT Security Procedural Guide 01-02, Handling IT > Security Incidents. > Differentiate tasks and functions to ensure that no one person has sole access > to or control over important resources. > Logout of the system whenever you leave the vicinity of your PC. > A-4.2 Confidentiality > Be aware of the sensitivity of electronic and hardcopy information, and protect > it accordingly. > Do not allow confidential information to remain on the PC screen when someone > who is not authorized to that data is in the vicinity. > Store hardcopy reports/storage media containing confidential information in a > locked room or cabinet. > Erase sensitive data on storage media, prior to reusing or disposing of the > media. > A-4.3 Integrity > Protect your system against viruses and similar malicious programs. > Do not install or use unauthorized software within the system libraries or > folders. Do not use freeware, shareware or public domain software on/with the > system without your manager?s permission and without scanning it for viruses > first. > Observe all software license agreements. Do not violate Federal copyright laws. > Follow industry standard procedures for maintaining and managing GovTrip > hardware, oper?ating system software, application software, and/or database > software and database tables. > Do not use GovTrip for personal use. > A-4.4 Application Rules > Passwords > GovTrip System users shall abide by the guidelines found in CIO IT Security > Procedural Guide 01-01, Password Generation and Protection. > Passwords shall: > Be changed or expire in 90 days or less. > Contain: > At least 8 characters. > A combination of alphabetic, numeric, and special characters. > A nonnumeric in the first and last position. > No more than three identical consecutive characters in any position from the > previous password > Not contain: > Any dictionary word in any language. > Any proper noun or the name of any person, pet, child, or fictional character. > Any employee serial number, Social Security number, birth date, phone number, > or any information that could be readily guessed about the creator of the > password. > Any simple pattern of letters or numbers, such as ?qwerty?, or ?xyz123?. > Any word, noun, or name spelled backwards or appended with a single digit or > with a two-digit ?year? string, such as 98xyz123. > Pass phrases, if used in addition to or instead of passwords, should follow the > same guidelines. > Protect your password(s) from disclosure. You are responsible for any > information system activity associated with your user ID and password. > Do not share your password with others or reveal it to anyone. If there is an > operational need to do so, immediately change the password after the need has > passed. > Do not post your password in your work area or hard code it into scripts. > Do not use another person?s user ID and password. > Change your password if you think your password is known by an unauthorized > individual and immediately notify your Information System Security Officer > (ISSO). > Use unique passwords for each system and application you access. > NEVER give your password out over the phone. > Be alert to others who may try to obtain your password. Sometimes hackers pose > as a system administrator. A hacker may randomly call a user and say that > something is wrong on the system to get arbitrary access to your system. They > may tell you that they need your password in order to issue you a new one. > Always remember that system administrators DO NOT need your password in order > to issue you a new password. > Do not write down your password(s). Memorize them using easy to remember > phrases. > Do not re-cycle passwords by changing them at the required interval and using a > few of them over and over in turn, or making minor changes to passwords by > adding a number to the base password (e.g., password is changed to password1, > password1 is changed to password2). > A-4.5 Session Time Out > GovTrip system users shall utilize a screen saver with password protection set > to suspend operations at no greater than 15-minutes of inactivity. This will > prevent inappropriate access and viewing of any material displayed on your > screen after some period of inactivity. The GovTrip system will also implement > system-based timeouts that will require the user to reauthenticate to the > system after specified periods of inactivity. > A-4.6 Backups > Plan for contingencies such as physical disasters, loss of processing, and > disclosure of information by preparing alternate work strategies and system > recovery mechanisms. > Make backups of systems and files on a regular, defined basis. > If possible, store backups away from the system in a secure environment. > A-4.7 Hardware > Avoid placing system equipment near obvious environmental hazards (e.g., water > pipes). > Do not eat or drink near system equipment. > Keep an inventory of all system equipment. > Keep records of maintenance/repairs performed on system equipment. > A-4.8 Awareness > Participate in organization-wide security training as required. > Read and adhere to security information pertaining to system hardware and > software. > A-4.9 Reporting > Contact and inform your ISSO that you have identified an IT security incident > and you will begin the reporting process by providing an IT Incident Reporting > Form regarding this incident. If you cannot get in contact with the ISSO, > contact the Information System Security Manager (ISSM). Contact the Office of > the Senior Agency Information Security Officer, if you cannot get in contact > with the ISSO or ISSM. > Report security incidents IAW CIO IT Security Procedural Guide 01-02, Handling > IT Security Incidents. > NEVER assume that someone else has already reported an incident. The risk of an > incident going unreported far outweighs the possibility that an incident gets > reported more than once. > Seek assistance and/or challenge unescorted strangers in areas where the system > is being used. > A-4.10 Privileged Users > Protect the supervisor or system administrator password. > Avoid instances where the same individual has responsibility for several > functions (i.e., transaction entry and transaction approval). > Watch for unscheduled, unusual, and unauthorized programs. > Help train system users on the appropriate use and security of the system. > Establish protective controls to ensure the accountability, integrity, > confidentiality, and availability of the system. > Replace passwords when a compromise is suspected. Delete user accounts as > quickly as possible from the time that the user is no longer authorized system. > Passwords forgotten by their owner should be replaced, not reissued. > Terminate user accounts when a user transfers or has been terminated. If the > user has authority to grant authorizations to others, review these other > authorizations. Retrieve any devices used to gain access to the system or > equipment. Cancel logon IDs and passwords, and delete or reassign related > active and back up files. > Use a suspend program to prevent an unauthorized user from logging on with the > current user's ID if the system is left on and unattended. > Verify the identity of the user when resetting passwords. This can be done > either in person or having the user answer a question that can be compared to > one in the administrator?s database. > A-4.11 Remote Access > GovTrip System users requiring remote access have already gained access to a > network either through their office or through an authorized GSA Remote Access > Server (RAS). If a user has access to a RAS, they obtained that access through > their local GSA LAN administrator. It is that local administrator?s > responsibility to obtain an acknowledgement of the Rules of Behavior associated > with remote access. Refer to CIO-IT Security Procedural Guide 01-11, Remote > Access for specific guidelines. > > > I have read and agree to abide by the GovTrip System Rules of Behavior. > </textarea> > <HR> > </TD> > <TD WIDTH="8" VALIGN="TOP"><IMG > SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> > </TR> > > <TR> > <TD WIDTH="565" VALIGN="TOP" > COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="8" BORDER="0" > ALT=""></TD> > </TR> > > <TR> > <TD WIDTH="8" VALIGN="TOP"><IMG > SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> > <TD WIDTH="549" VALIGN="TOP" > ALIGN="MIDDLE" CLASS="text11black"> > <TABLE CELLPADDING="0" CELLSPACING="0" WIDTH="150" > BORDER="0"> > > > <TD WIDTH="75" VALIGN="MIDDLE" ALIGN="CENTER"><A > HREF="/wl/site/j_security_check?j_uri=/wl/site/index.jsp" > onClick="document.location.href='http://www.govtrip.com/govtrip/site/index.jsp'" > TARGET="_blank" onMouseDown="img_act('accept');" > onMouseOut="img_inact('accept');" onMouseUp="img_inact('accept');"><img > name="accept" src="grphx/but_accept_up.gif" alt="Accept" width="69" height="27" > border="0"></A></TD> > > > <TD WIDTH="75" VALIGN="MIDDLE" ALIGN="CENTER"><INPUT > TYPE="BUTTON" > onClick="location.href='http://www.govtrip.com/govtrip/site/index.jsp'" > VALUE="Decline" ID="loginButton"></TD> > </TABLE> > </TD> > <TD WIDTH="8" VALIGN="TOP"><IMG > SRC="grphx/blank.gif" WIDTH="8" HEIGHT="1" BORDER="0" ALT=""></TD> > </TR> > > <TR> > <TD WIDTH="565" VALIGN="TOP" > COLSPAN="3"><IMG SRC="grphx/blank.gif" WIDTH="365" HEIGHT="11" BORDER="0" > ALT=""></TD> > </TR> > </TABLE> > </TD> > <TD WIDTH="2" BGCOLOR="#40708D"><IMG > SRC="grphx/blank.gif" WIDTH="2" HEIGHT="4" BORDER="0" ALT=""></TD> > </TR> > > <TR> > <TD WIDTH="569" COLSPAN="3" VALIGN="TOP"><IMG > SRC="grphx/gsa_bar_lgSlate.gif" WIDTH=569 HEIGHT=7 BORDER=0 ALT=""></TD> > </TR> > </form> > </TABLE> > > </CENTER> > </BODY></HTML> > > > This may be related to a failure to validate a valid certificate. > (In reply to comment #2) > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1a2pre) > Gecko/2008072717 Minefield/3.1a2pre > > Works fine for me. The first time I load the "Log in" page, I get a security > error page, which is expected since the site does not use a valid PKI cert. > But if I add an exception for the cert, I get a page full of legalese, not a > blank page. > > What happens if you load another page with a cert that has similar problems, > such as https://www-stage.authstage.mozilla.com/? > (In reply to comment #2) > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1a2pre) > Gecko/2008072717 Minefield/3.1a2pre > > Works fine for me. The first time I load the "Log in" page, I get a security > error page, which is expected since the site does not use a valid PKI cert. > But if I add an exception for the cert, I get a page full of legalese, not a > blank page. > > What happens if you load another page with a cert that has similar problems, > such as https://www-stage.authstage.mozilla.com/? > (In reply to comment #2) > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1a2pre) > Gecko/2008072717 Minefield/3.1a2pre > > Works fine for me. The first time I load the "Log in" page, I get a security > error page, which is expected since the site does not use a valid PKI cert. > But if I add an exception for the cert, I get a page full of legalese, not a > blank page. > > What happens if you load another page with a cert that has similar problems, > such as https://www-stage.authstage.mozilla.com/? > First, it should be a valid CERT. Second, after you get past it this one place, it keeps recurring once you log in. (Unfortunately, I can't readily provide you a login - I'll see if I can get one for the testing environment. I'll need a means of communicating it to you privately - we don't want to publish logins to any of our environments.
(In reply to comment #2) > Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9.1a2pre) > Gecko/2008072717 Minefield/3.1a2pre > > Works fine for me. The first time I load the "Log in" page, I get a security > error page, which is expected since the site does not use a valid PKI cert. > But if I add an exception for the cert, I get a page full of legalese, not a > blank page. > > What happens if you load another page with a cert that has similar problems, > such as https://www-stage.authstage.mozilla.com/? > I also work for GovTrip, and there should be nothing wrong with our certificate. Our boss informed me that over $1,000 was paid to acquire it. Internet Explorer 6 and 7 both validate the certificate without issue. Why won't Firefox? Please examine the certificate in IE6/7 (if you are able) to see what I am talking about. The certificate is provided by Digital Signature Trust and is verified by the "DST ACES Device CA X6" root certificate, which Firefox shows to have in Tools -> Options... -> Encryption -> View Certificates -> Authorities but will still not verify our certificate properly.
Your cert may be valid, but the way you're serving it is incorrect. You need to include the intermediate certs so that Firefox can verify it without making any requests to third parties. IE does those, but Firefox doesn't, for privacy reasons.
(In reply to comment #5) > Your cert may be valid, but the way you're serving it is incorrect. You need > to include the intermediate certs so that Firefox can verify it without making > any requests to third parties. IE does those, but Firefox doesn't, for privacy > reasons. > Jesse, thanks for information. Does this mean that we have to pay for another cert? I hope your answer is no, because that may preclude us from fixing this problem.
I don't know exactly what you need to do in order to make your web server serve intermediate certs properly, but I don't think it requires buying a new cert. Some bugs related to incomplete cert chains: bug 399045, bug 402846, bug 399324, bug 399019
No need to buy a new cert. Go to your CA's support and read docs on installing certs on your server. Usually it involves editing a text file that contains your paid server cert, and adding some more text to the file, which represents the CA's intermediate cert(s). I wish all CAs would send this information in big red letters to all their customers, because so many people get it wrong.
The GovTrip site seems to be updated. 1st there's no "Login" button anymore (or at least I'm unable to find it). 2nd there's a .doc file referring to "GovTrip Minimum Browser Settings" (http://www.govtrip.com/govtrip/site/redir.jsp?docID=1272) where Firefox is mentioned as well as Safari and IE. To me this bug looks FIXED.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.