Closed Bug 57074 Opened 25 years ago Closed 22 years ago

citibank direct access thinks mozilla and ns6pr3 are not 128-bit security capable

Categories

(Tech Evangelism Graveyard :: English US, defect, P1)

Product:
Tech Evangelism Graveyard
Component:
English US
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ash, Unassigned)

References

(
URL
)

Details

(Whiteboard: [BANK] [JAVASCRIPT] [DENY])

Attachments

(1 file)

launch in a new window alert
9.97 KB, image/gif
Details
I think some evangelism might be in order here. I'm using the latest psm for mozilla which is available from the iplanet site. The check encryption button on the url above does nothing, and the javascript generates a string that says moz is an unsupported browser. I think this is bad sniffing, pure and simple. The same problem occurs using m18 for linux, ns6pr3 for win, or any other version of moz I've ever tried (and that is quite a few). I think there are actually some hangs on pages guarded by this check. There used to be before they implemented this check, which was only maybe 2 months ago. It would be good to get past the sniffing problem so we could get working on the hangs that occur later. The url above is the main entry point (only entry point?) for citibank's rather extensive online account management pages, so it's pretty important to any citibank customers (of which I'm pretty sure there are a few).
Do we still do evangelism? Surely this is important enough to get some response from an evangelist. Remember, this is a fairly big site.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Well with 2000102404 M18 (having previous installed PR3) I'm getting past the encryption check OK, but there's some broken browser sniffing going on: function Is () { var agt=navigator.userAgent.toLowerCase() this.major = parseInt(navigator.appVersion) this.minor = parseFloat(navigator.appVersion) this.nav = ((agt.indexOf('mozilla')!=-1) && ((agt.indexOf('spoofer')==-1) && (agt.indexOf('compatible') == -1))) this.nav2 = (this.nav && (this.major == 2)) this.nav3 = (this.nav && (this.major == 3)) this.nav4 = (this.nav && (this.major == 4)) this.nav4up = this.nav && (this.major >= 4) this.navonly = (this.nav && (agt.indexOf(";nav") != -1)) this.ie = (agt.indexOf("msie") != -1) this.ie3 = (this.ie && ((this.major == 2) || (this.major == 3)) ) this.ie4 = (this.ie && (this.major == 4)) this.ie5 = (this.ie && ( (this.major == 4) || (this.major == 5) ) && (agt.indexOf("msie 5") != -1) ) this.ie5up = this.ie && (this.major >= 5) this.opera = (agt.indexOf("opera") != -1) } var is = new Is() var type = "unsupported browser"; var compat = " is not "; if (is.nav2) { var type = "Netscape<SUP>&reg;</SUP> Navigator" var compat = " is not " } if (is.nav3) { var type = "Netscape<SUP>&reg;</SUP> Navigator" var compat = " is " } if (is.nav4) { var type = "Netscape<SUP>&reg;</SUP> Communicator" var compat = " is " } if (is.ie3) { var type = "Internet Explorer<SUP>&reg;</SUP>" var compat = " is " is.minor = 3 } if (is.ie4) { var type = "Internet Explorer<SUP>&reg;</SUP>" var compat = " is " } if (is.ie5) { var type = "Internet Explorer<SUP>&reg;</SUP>" var compat = " is " is.minor = 5 } As you can see, they correctly define isNav4up then unforunatelty fail to actually use it :-| Should be an easy fix. For additional information, please call a PC Banking Customer Service Representative at 1-800-374-9700, 24 hours a day, 7 days a week. Text Telephone (TTY/TDD) Services are available at 1-800-788-0002. Zach, can you take this one?
-> evangelism@telocity.com for my evangelism bugs. removing the now-depreciated evangelism-related keywords. setting platform to All.
Assignee: blakeross → evangelism
Hardware: PC → All
This really needs some evangelism still. We're still running into the "not 128-bit secure" check with for instance the 2001042608 build. Also, their customer service folks strongly imply that ns 6 is not capable of 128 bit encryption if asked about this problem. Now I'm off to find phil peterson's (?) post about screwing around with user agent strings, which used to be a work-around for this problem. If someone would like to update the url to the new signin location, here's the link: http://home.da-us.citibank.com/da/signin/index.htm I'm not sufficiently empowered to do so.
Here's a link to the post describing the workaround. http://www.geocrawler.com/archives/3/141/2000/11/0/4635269/
Reassigning evangelism bugs to bclary@netscape.com.
Assignee: evangelism → bclary
They are still blocking us with the 128bit encryption message. Marking whiteboard and upping the priority ot P1
Priority: P3 → P1
Whiteboard: [BANK][USERAGENT][DENY]
I don't get a warning about 128-bit crypto with the lastest builds. I can get in just fine, but I now have two problems. First, I get an Alert when I try to login. I'll post that as an attachment. Second, when I try to view my account information, nothing happens. Predictably, it works fine with IE. I have not looked at the HTML to see what's up. It might be a simple coding error. Still, the net result is that I can't use Mozilla to bank at Citibank.
Attached image launch in a new window alert —
called their 800 number and spoke with "Rich" who said the systems people are working with Netscape to resolve the issue. Does anyone know of any work being done on this area? Rich said he would pass my email address onto the systems people who will hopefully contact me about this. marking assigned to show contact was made and setting milestone to 0.9.3 for followup.
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla0.9.3
Keywords: nsenterprise+
Target Milestone: mozilla0.9.3 → mozilla0.9.4
Updates from bugscape bug 8053: ------ Additional Comments From matt fisher 2001-07-30 16:15 ------- They say we are an unsupported browser. They say we must support secure transactions (128 bit) and JS. They have a test page http://home.da-us.citibank.com/da/whatdo/main.htm which has buttons for testing these functions and although we pass the tests, they still don't let us in.
hmm, looks like we need to deal with them and tell them that we pass and to allow us in. Is this moz only, or ns too? Zach
I can get in now. I entered from http://www.citibank.com/ 1. Select a Country: United States 2. Select a Product or Service: Citibank Online 3. I then Entered my account number and PIN **HOWEVER, once inside, things don't work and I get JS errors on the JS console. This still needs evangelism.
This is much much worse now. I would rather that they DENY us then do this :) Though, for us, it's nice since we can see what's wrong. Lord@nscp: can you paste your javascript errors? Zach
Whiteboard: [BANK][USERAGENT][DENY] → [BANK] [JAVASCRIPT]
See http://bugzilla.mozilla.org/show_bug.cgi?id=85557 for a description of the javascript error I'm seeing. The top.frames[3] error is what I'm seeing. So maybe this bug can now be closed, since the one referenced above deals with the current behavior and citibank no longer thinks we're not 128 bit secure.
Using 20010725 branch build, when I go to the following URL: http://home.da-us.citibank.com/da/signin/index.htm and clicking on the "Sign-In" icon in the left column, the server responded with the following: -------------------------------- I'm sorry, but the browser you are currently using is not supported by Direct Access. To use Direct Access, you need a browser that supports strong encryption (128-bit) -- one of the highest forms of security available over the Internet. ---------------------------------- I have checked and confirmed that N6.1 browser support 128-bit strong encryption and the JavaScript is enabled. Alternatively, I can reproduce the same situation, by doing the following: 1. As a new user (a CitiBank customer that have not sign-on into the Online service yet), go to the web site: http://www.citibank.com. It will then redirect to: http://www.citibank.com/domain/index2.htm 2. Select "United State" in the list. 3. Select "Direct Access" in the drop down list. (Note that it will work if you choose "Citibank Online") 3. Click on the "Sign-in" icon in the left column Same result as I described above.
so this is now only about direct access (not citibank online), right? Does someone want to update the summary?
-> Arun, our man of Finance!
Assignee: bclary → aruner
Status: ASSIGNED → NEW
All Evangelism Bugs are now in the Product Tech Evangelism. See bug 86997 for details.
Component: Evangelism → US English
Product: Browser → Tech Evangelism
Target Milestone: mozilla0.9.4 → ---
Version: other → unspecified
Arun, what's up with this, are you still working on it?
Status: NEW → ASSIGNED
Summary: citibank thinks mozilla and ns6pr3 are not 128-bit security capable → citibank direct access thinks mozilla and ns6pr3 are not 128-bit security capable
*** Bug 97738 has been marked as a duplicate of this bug. ***
Keywords: topembed
Whiteboard: [BANK] [JAVASCRIPT] → [BANK] [JAVASCRIPT] [DENY]
marking nsenterprise-.
Keywords: nsenterprise+nsenterprise-
removing topembed (belongs to evangelism)
Keywords: topembed
What is the latest with this bug? Citibank is one of the most popular banks in the world, not the most popular...
mass-reassign of all bank bugs to the banks component. You may filter for this change by searching for the string 'ilovetriagebecauseitisfun'
Status: ASSIGNED → NEW
Component: US General → US Banks
QA Contact: zach → bclary
Hi I'm a Citibank customer/mozilla user. Can I help by hassling my bank about this? dave
Keywords: evang500
lol.. their "unsupported browser" site lit you check the requirements manually - and Mozilla has not pronblems with them (!)
Is there a 101 guide anywhere for performing mozilla evangelism? I'd like to complain to my bank manager that I cant access my account online with mozilla. My main question is: Should I complain that the site doesnt work with Mozilla or Netscape? dave
Sent this message via Citibank's customer service form (Part of Direct Access) Hi Your Direct Access website does not currently support Mozilla (and presumably the new Netscape 7) web browsers. Mozilla and Netscape 7 are both secure and standards compliant web browsers, demonstratably more secure than Microsoft's Internet Explorer. These are often the main browsers used by customers running non-Windows based PCs or security conscious users. Mozilla passes both the security and JavaScript tests at the beginning of the log-in session but then is denied access to the site. It seems as if it is a minor problem with the way your site detects browser types. Please see this web link where Mozilla engineers are tracking the problem: http://bugzilla.mozilla.org/show_bug.cgi?id=57074 Please let me know how you intend to adress this issue so I may continue to access my account online thx dave
I got this reply from citibank, I am working on a suitable response: Thank you for your message regarding using Citibank Online and Mozilla. While Mozilla may be your browser of choice, it is currently not supported by Citibank Online, have no information is available as to if and when this browser will be supported. Currently Citibank Online can support the following browsers for PC users which do utilize 128 bit encryption: Internet Explorer 5.0 Internet Explorer 5.01 Internet Explorer 5.5 Internet Explorer 6.0 Netscape Navigator 4.06 Netscape Navigator 4.08 Netscape Communicator 4.5 Netscape Communicator 4.61 Netscape Communicator 4.70 - 4.79 If you have further questions, please send another message or call us at 1-800-374-9700 and we will be happy to assist you.
Here is my response. It would probably help if other people wrote in with similar comments. Re: Support for Mozilla and Web standards I believe this is both an important issue and easily fixable. It is important, as by having a web standards compliant web site, your site will function on a wide range of platforms without browser specific code - Making your site more maintainable and lower costs (which in turn lowers your charges to me) Secondly, it appears the only issue stopping Mozilla and others from functioning is that your web site uses a faulty browser detection script. Users who have bypassed the faulty scrip report that your site works well with Mozilla. Lastly, the Mozilla rendering engine is now being used in AOL's Mac client and Netscape version 7. By denying the Mozilla rendering engine you are also blocking users of these products. Feel free to pass my name and contact details (dave@isoga.net) to your Webmaster if they wish for more details thx Dave
My latest response from citibank. At least it looks like the message got to their engineers: Dear Mr. Goodwin, Thank you for your message regarding Citibank Online. We certainly appreciate that you have taken the time to provide us with your suggestions and comments. Your feedback is a very valuable tool as we continue to improve Citibank Online. We will forward your comments and suggestions to our design engineers so we can continue to enhance Citibank Online according to our customers' needs.
Great news! Citibank have updated their site (Merging Direct Access and MyCiti?) Mozilla runs great! I've just logged into my account and made a payment with no probs. Anyone else tried? Good job to the evangelists and of course the Citibank Web team dave
dave: uhm, I still seee this "your browser doesn't work" message..?
Ok. If this site works for you please say so and report your UA string. If this site does not work for you, please say so and report your UA string.
I get a deny message on ns7.01
here are some (nagative) feedback reported in Mozillazine : "I called Citibank last night about this. They said in no uncertain terms that they had zero plans to support netscape beyond 4.7 or any other Gecko browser. I don't know what their problem is, actually, but it's starting to wear on me." ... "I wrote to Citibank about IE security hole. And the feedback from Citibank : ----------------------------------------- Thank you for your message regarding on-line security. The "hole" reported in the article you have provided is discussing how a server can take control of your browser. In know way are our serves set up to do this kind of manipulation. In regards to Netscape 7, yes this site is considered one of the top secured browsers and supports 128 bit encryption. As does Internet Explorer. Yet the major difference of Netscape 7, is it presents "many" security issues with our on-line service. For example, if you click on the sign-off button, the browser may not sign you off. There are several other issues regarding Netscape 6.x to 7 which concerns us in regards to our client's security on-line. Until Netscape resolves these issues, and yes we have contacted them, we will not support these browsers. ----------------------------------------- Citibank wants Netscape to fix their problems." In short, according to I wrote to Citibank about IE security hole. And the feedback from Citibank : ----------------------------------------- Thank you for your message regarding on-line security. The "hole" reported in the article you have provided is discussing how a server can take control of your browser. In know way are our serves set up to do this kind of manipulation. In regards to Netscape 7, yes this site is considered one of the top secured browsers and supports 128 bit encryption. As does Internet Explorer. Yet the major difference of Netscape 7, is it presents "many" security issues with our on-line service. For example, if you click on the sign-off button, the browser may not sign you off. There are several other issues regarding Netscape 6.x to 7 which concerns us in regards to our client's security on-line. Until Netscape resolves these issues, and yes we have contacted them, we will not support these browsers. ----------------------------------------- Citibank wants Netscape to fix their problems.
Pascal and others interested in Citibank issues, Here is my assessment of what is going on. Please comment further if you have anything to add. The link that goes with this bug -- http://home.da-us.citibank.com/da/signin/index.htm -- definitely issues a warning message that goes against Mozilla and any Netscape browser based on Mozilla, including Mozilla 1.2, 1.3 alpha, and Netscape 7.01. I've discussed this with Citibank. BUT, you can access your bank account and/or your credit card perfectly using a Gecko browser if you go to http://www.citibank.com/ and click on Sign In (you can use Mozilla 1.2 or N7.01, for example). This means that the URL mentioned above in 1. is not arrived at if you use any other access path to checking your account(s). I talked to Citibank about http://home.da-us.citibank.com/da/signin/index.htm which my contact described as an "older page" and he said they would replace it soon. Clearly, this hasn't happened. Can anyone tell me the path they take to arrive at this page? The standard path, namely linking to services via http://www.citibank.com/ doesn't appear to cause this page to appear according to my tests. This bug gets updated by two types of observations: 1. Those accessing http://home.da-us.citibank.com/da/signin/index.htm , which STILL blocks N7.01 and Mozilla. 2. Those accessing online services at Citibank via general URLs, who make observations about the experience. Citibank's top issue currently appears to be that once you sign in, you have a hard time signing out. But otherwise, aside from a legacy page (or two!), we aren't blocked from banking and services with Citibank.
OK, here's more confirmation of my previous comment: the URL mentioned with this bug is an old and outdated URL that used to link to Citibank Direct Access, but now serves no purpose except to irritate Mozilla users :-) Here's mail snippet from Citibank contact: "Arun, the url that is rejecting is the old DA signin screen that is not used any longer." I will work with Citibank to try and see if this URL can't be made into a redirect URL to point to a legitimate access point for Citibank Direct Access. Note that other more legitimate Citibank issues exist, such as bug 85557 . This bug may well have served its term, and I'll either close it or change the subject to become a bug about making Citibank turn the URL in question (http://home.da-us.citibank.com/da/signin/index.htm) into a redirect to a more appropriate access route.
Ive just tried it and this is the dumbest thing i ever saw
"This bug may well have served its term, and I'll either close it or change the subject to become a bug about making Citibank turn the URL in question (http://home.da-us.citibank.com/da/signin/index.htm) into a redirect to a more appropriate access route." Hello Arun K. Ranganathan, did you have any reply from them? DA signin is alive :]
SPAM: New components
Assignee: aruner → english-us
Component: US Banks → English US
QA Contact: bc → english-us
I think this should be closed as Citibank now allows Mozilla access. I dont think we care if Citibank have old URLs hanging around. That's there issue.
sounds good to me
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
I meant to say _their_ issue, of course
I have never had any problems with Mozilla on Citbank's web site, but will this fix the not being able to drag-and-drop account numbers with Citibank's Virtual Account Number application? I have been using (and quite happy with) their stand-alone version of the application on my Win2k box. I have been thinking of filing a bug about this since it doesn't work with Mozilla. I have to type the numbers in and risk botching it up or if I'm really lazy just use IE which works fine. I'm not sure what plugin Citibank uses for the Virtual Account Number application. Thanks for fixing this bug though...
*** Bug 183850 has been marked as a duplicate of this bug. ***
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: