Last Comment Bug 89853 - capitalone.com - error message about compatibility with Netscape 6 / Mozilla
: capitalone.com - error message about compatibility with Netscape 6 / Mozilla
Status: RESOLVED FIXED
[insult]
: ecommerce
Product: Tech Evangelism Graveyard
Classification: Graveyard
Component: English US (show other bugs)
: unspecified
: All All
: P1 major
: ---
Assigned To: Bob Clary [:bc:]
: Doron Rosenberg (IBM)
:
Mentors:
http://www.capitalone.com
: 134419 141452 144107 154350 157634 160560 161667 162562 163777 168087 170123 171726 174368 177284 (view as bug list)
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2001-07-08 09:50 PDT by Phil Usatine
Modified: 2015-04-19 23:39 PDT (History)
26 users (show)
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
Attachment for comment #27 (9.74 KB, text/plain)
2002-07-15 22:48 PDT, David Gasaway
no flags Details
Capital One's advanced browser detection :-) (4.61 KB, text/plain)
2002-10-12 00:38 PDT, John Vance
no flags Details

Description Phil Usatine 2001-07-08 09:50:33 PDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.2) Gecko/20010628
BuildID:    2001062815

Hit Login button on Capital One main page. Following message is returned:

Browser Alert


Netscape 6.0 Users: We are currently experiencing problems with the latest
release of Netscape 6.0. We are working with Netscape to fix these problems so
you can take full advantage of our site with that browser. You can be sure that
we will support Netscape 6.0 as soon as all the fixes become available.

Other Browser Users: To further protect the privacy of your account, Capital One
requires that your browser support 128-bit encryption. By upgrading your
browser, you will also be able to fully enjoy all of the services our Web site
has to offer. We currently suggest using Netscape Navigator/Communicator
versions 4.08 through 4.7, as well as Microsoft Internet Explorer 5.0 and
higher. For Apple users, we suggest version 4.5 or higher of Internet Explorer.
For additional information, or for links to download the latest browser
versions, please visit the Security and Privacy section of our Frequently Asked
Questions page. Thank you for helping us make your online experience with
Capital One as safe and pleasant as possible.



Reproducible: Always
Steps to Reproduce:
1.Navigate to URL www.capitalone.com
2. Press login button near top-right of page.
3.

Actual Results:  see description

Expected Results:  allow me to login
Comment 1 Matthias Versen [:Matti] 2001-07-08 11:51:58 PDT
-> Evangelism and marking NEW
Comment 2 Bob Clary [:bc:] 2001-07-10 07:23:13 PDT
contacted 7/10/01 webinfo@capitalone.com
Comment 3 Bob Clary [:bc:] 2001-08-10 18:42:24 PDT
All Evangelism Bugs are now in the Product Tech Evangelism. See bug 86997 for
details.
Comment 4 Bob Clary [:bc:] 2001-08-15 06:24:33 PDT
-> Arun
Comment 5 Jeremy M. Dolan 2001-09-02 16:49:08 PDT
Contacted webinfo@capitalone.com, reply follows:


Hello,

Thank you for your inquiry to Capital One Online.

Currently the only Internet browsing programs that Capital One officially
supports are:

1) Microsoft Internet Explorer 4.72 to 6.0.
2) Netscape Communicator 4.5 to 4.78.

You may be able to adapt the Mozilla browser to be able to access our site
by disabling the 168-bit encryption that that browser supports. Use only
40-bit and 128-bit encryption levels.

This solution has worked for some users of Mozilla.  If you have additional
questions you may contact us by telephone at 1(800)951-6951.  We will be
glad to assist you further.

Regards,

Jeremy N.
OAS/TECH SUPPORT
http://www.capitalone.com

I disabled 3DES, but still got the non-compliant message. Time to switch credit
card companies, perhaps.
Comment 6 Blu3 2002-01-22 11:53:03 PST
I used to be able to bypass the stupidity of crapitalone by bookmarking a
re-login page.  Unfortunately they "fixed" this a little while ago.  The new
message is as follows:

++++++++++
Browser Alert

You cannot access Online Account Services with your current Web browser.

Possible reasons for this could be one of the following:

    * You are using Netscape 4.0 through 4.07 or Netscape 6.0, which we cannot
support for online account transactions due to security reasons.
    * You are using a browser that is incompatible with our Online Account
Services system. We recommend you use Netscape versions 4.08 through 4.7 or
Internet Explorer versions 5.0 or higher.
    * Your browser does not support 128-bit encryption.

We regret any inconvenience this may cause but, with these policies, we strive
to keep your account information as secure as possible.
++++++++++
Comment 7 David Gasaway 2002-01-31 20:27:10 PST
Can anyone identify the "security reasons"?  All of my attempts to exhort this
information from CapitolOne have failed.
Comment 8 Susie Wyshak 2002-03-05 14:00:24 PST
I think the error was served due to their #2 reason (not compatible). 
Arun has been in touch with them and they have implied they are eager to be
mozilla compatible...tbd how soon though.
Comment 9 David Gasaway 2002-03-07 21:30:32 PST
They *have* implied they are eager. Past-tense. :)

Seriously, the message that previously appeared gave me the impression that they
were persuing a resolution.  The message which appears now (quoted in comment
#6) reads very steadfast and uncompromising.  For that matter, uninformed and
stubborn as well.  Imagine, equating NS 4.0x and NS 6.x!
Comment 10 Paul Harrison 2002-03-15 12:39:53 PST
For what it's worth, the last time I looked at the code they're using to do
this, it was something along the lines of "Check if navigator.appVersion starts
with anything but '4' and if so, puke".

Part of me would like us to be able to define the entire contents of the
navigator object on a user level, to the best of my knowledge only userAgent is
overridable. However, as I know browser wars are somewhat pointless, I'll be
notifying them as soon as the Mozilla 1.0 release candidate is out - they fix
their website before 1.0, or they lose me as a customer. I'm not having Netscape
4.x hanging around just so I can pay my credit card bill.

And I'm deadly serious about it too - I get new credit card offers through the
mail every day, why should I bother to keep this one?
Comment 11 Vadim Berezniker 2002-03-30 10:28:58 PST
*** Bug 134419 has been marked as a duplicate of this bug. ***
Comment 12 Paul Harrison 2002-04-22 09:05:40 PDT
I sent them an email on Friday suggesting that was 1.0RC1 was out, they may want
to unblock Mozilla from being allowed in. Anyone else considering emailing them
may want to consider:

* I sent versions to webmaster@capitalone.com and webinfo@capitalone.com, and
the reply came from the former.
* I made the point that the choice they were currently offering was between an
obsolete browser and one with an extremely poor record for security. I also made
the point that there was an implied insult against customers who choose
perfectly capable alternatives.

The response was positive if non-committal:

---quote
We appreciate your feedback regarding the possibility of updating our
website to versions other than '4' for Mozilla users, and have forwarded
your concern to the appropriate department.

When our system is compatible with Mozilla, we will post notification on
our website.
---end quote

For what it's worth, this is what I wrote:

---quote
Hi,

Now that Mozilla 1.0RC1 is out, is there any chance you could update your
website so that users of browsers that report a version other than '4' are
not redirected to https://service.capitalone.com/non_compliant.html if they
try to access the account management services?

Aside from being unnecessary, this forces users to use web browsers which are
obsolete or have well known security holes and poor track records in that
regard. It also, to a user of a perfectly capable browser, feels like a slap in
the face, as if you're saying "Sorry, but you may be our customer, but we think
your technology decisions are outrageous."

I certainly don't want to keep an ancient version of Netscape installed just to
manage my finances, and, given the number of credit card offers that pop through
my mailbox every week, I obviously do have other alternatives. However, I'd
prefer to avoid changing credit card companies if possible, and given the minor
nature of the change to your site, I do hope you'll consider the requirements of
me, and other Mozilla/etc using Capital One users.

Thanks,
---end quote

With the release candidate out, now is probably a good time to step up the requests.
Comment 13 R.K.Aa. 2002-05-01 06:15:33 PDT
*** Bug 141452 has been marked as a duplicate of this bug. ***
Comment 14 Blu3 2002-05-04 09:56:06 PDT
Yet another quote from CrapitalOne's spiffy team of clued experts:

<quote>
Dear David Ford,

Thank you for contacting Capital One.

We are sorry that you have experienced difficulty accessing your online 
account using the Mozilla browser. Access to your online account using the 
Mozilla browser (versions 5.0 and above) is possible once you change the 
browser settings to identify Opera as Internet Explorer 5.0. 

To change your browser settings:

-Open the Opera browser.
-Click "File" at the top of the browser window.
-Click "Preferences."
-In the Preferences menu, click "Connections."
-A section labeled "Browser Identification" displays near the top of the 
window.
-Click the arrow and select "Identify as MSIE 5.0." from the drop-down box.
-Click "OK."

If you have any additional questions, please contact us at 1-800-951-6951. 
Our representatives are available 24 hours every day.

We look forward to assisting you.

Sincerely,

C. Oliver
eCorrespondence
Capital One Services
</quote>
Comment 15 Marcus Campbell 2002-05-13 06:00:35 PDT
*** Bug 144107 has been marked as a duplicate of this bug. ***
Comment 16 corey 2002-05-15 18:00:29 PDT
I just sent the following email to capital one.  And it's all true.

From corey@balance.wiw.org Wed May 15 20:50:17 2002
Date: Wed, 15 May 2002 20:50:17 -0400
From: corey <corey@balance.wiw.org>
To: webinfo@capitalone.com, webmaster@capitalone.com

To whom it may concern:

I have had a CapitalOne account for several years now.  Generally, I have 
been quite satisfied with the service, and admittedly, CapitalOne has been 
very helpful over the timeframe through which I've been a customer.

Unfortunately, I can't help but decide that it is time to get a new credit
card elsewhere.

The reason is simple, and hinges on CapitalOne's steadfast refusal to
allow customers who use later netscape and/or mozilla clients to access
their accounts.  I do not use Windows, and thus MSIE is not an option --
not that this should matter in the first place. I have virtually no
reason to keep Netscape 4.7 on my computer;  In fact, your site is the
only one for which I still have to use this antiquated piece
of software.

I don't want to hear a response that says this is done for "security
purposes".  I don't want to hear a response that say "we're working on
it".  I've heard these excuses for well over a year, and I simply don't  
have the patience for it anymore.

I _know_ the mozilla codebase is more than adequate;  Not only am I a
competent web designer, I am a software engineer, and have worked with the
codebase, at great length.  I am quite familiar with its abilities.

However, for whatever reason, be it CapitalOne's corporate policy, or the
incompetency of CapitalOne's web development team, your company has been
steadfast in its refusal to adhere to open web standards and refusal to 
allow perfectly legitimate web browsers access data on your servers.

Thus:  After I pay off my most recent balance (or after I transfer it,
should time permit), I will be closing my account with CapitalOne, and
will resume my VISA service with another bank.

Thank you very much for your time, and for the service you have provided.

Sincerely,
Corey Welton.
Comment 17 Blu3 2002-05-26 06:46:00 PDT
Added to the mozilla financial shames page,
http://blue-labs.org/financial-shames.php
Comment 18 Scott Fiddelke 2002-06-11 07:22:40 PDT
Received this from captialone after asking them why no moz/ns7 support.:



Subj:  Re: Mozilla 1.0/Netscape 7
Date:  Tue, 11 Jun 2002 08:52:29 -0400
From:  Capital One-Webmaster <webmaster@capitalone.com>
----------------------------------------------------------------
Dear Scott,

Thank you for contacting Capital One.

We regret any inconvenience associated with our web site not supporting 
Netscape 6.0 or greater and Mozilla 1.0.  We are currently unable to 
provide a timeframe when our web site will be accessible through these 
browsers.  You can access your account using Netscape Version 4.76 or 
Internet Explorer 5.5 or greater.

If we can be of assistance to you, please reply to this message or contact 
our Online Account Service Department at 1-800-951-6951.  Our associates 
are available to assist you 24 hours every day. 

Sincerely,

M. Fulton
eCorrespondence
Capital One Services

Visit us online at http://www.capitalone.com, where you can access valuable
products and services.
Comment 19 Andrew 2002-06-14 21:04:02 PDT
Thank you for contacting Capital One regarding your inability to access 
your online account with your Mozilla browser.

We regret any inconvenience you may have experienced because our web site 
does not support Mozilla browsers. These browsers are not currently 
supported by our Online Account Service because of their inability to 
consistently encrypt and decode information that is displayed on the 
secured pages of our website. 

We hope to be able to offer access to users of the Mozilla browser soon. 
However, we are currently unable to provide a timeframe when access will be
possible. In the meantime, though, you can access your account using 
Netscape Version 4.76 or Internet Explorer 5.5 or greater.

If we can be of assistance to you, please reply to this message or contact 
our Online Account Service Department at 1-800-951-6951. Our associates are
available 24 hours every day. 

We look forward to assisting you.


Sincerely,

A. Wright
eCorrespondence
Capital One Services
Comment 20 Andrew 2002-06-14 21:05:04 PDT
Thank you for contacting Capital One regarding your inability to access 
your online account with your Mozilla browser.

We regret any inconvenience you may have experienced because our web site 
does not support Mozilla browsers. These browsers are not currently 
supported by our Online Account Service because of their inability to 
consistently encrypt and decode information that is displayed on the 
secured pages of our website. 

We hope to be able to offer access to users of the Mozilla browser soon. 
However, we are currently unable to provide a timeframe when access will be
possible. In the meantime, though, you can access your account using 
Netscape Version 4.76 or Internet Explorer 5.5 or greater.

If we can be of assistance to you, please reply to this message or contact 
our Online Account Service Department at 1-800-951-6951. Our associates are
available 24 hours every day. 

We look forward to assisting you.


Sincerely,

A. Wright
eCorrespondence
Capital One Services
Comment 21 Jim Berwick 2002-07-06 13:24:41 PDT
I just got this today:
Thank you for contacting Capital One.

We regret any inconvenience associated with our web site not supporting 
Mozilla and Netscape 6.0 or greater.  We are currently unable to provide a 
timeframe when our web site will be accessible through Mozilla and Netscape
6.0.  You can access your account using Netscape Version 4.76 or Internet 
Explorer 5.5 or greater.

If you should have further concerns, please contact our Online Account 
Service Department at 1-800-951-6951.  Our representatives are available 
Monday through Friday from 8:00 AM to 9:00 PM, Eastern Time.

We appreciate your feedback regarding the non-support of Mozilla and 
Netscape and have forwarded your comments to the appropriate department.  
Our goal is to provide all of our customers with the highest level of 
service, and we sincerely regret that your experience accessing your 
account did not represent that goal.

Sincerely,

C. Oliver
eCorrespondence
Capital One Services

Visit us online at http://www.capitalone.com, where you can access valuable
products and services.


They suggest I use IE when I stated in my email to them that I'm using Linux and my choices are a slow, unstable Netscape 4.x or Mozilla/Netscape 7.  I even spelled out for them that there was no way of me running IE5/6 on my machine, as I don't use MS Windows on it.  So has anyone actually been told what their alleged security issues are?
Comment 22 Bob Clary [:bc:] 2002-07-08 04:40:01 PDT
*** Bug 154350 has been marked as a duplicate of this bug. ***
Comment 23 Bob Clary [:bc:] 2002-07-08 04:40:52 PDT
mine
Comment 24 SineSwiper 2002-07-08 08:22:19 PDT
They will be really be sorry when AOL 8 comes out.  Mozilla in that version, and
that's about 30% of their customers.
Comment 25 David Hallowell 2002-07-09 05:31:59 PDT
I've just sent the following email:
To: webmaster@capitalone.com
Subject: Mozilla / Netscape 7

As someone who has worked for companies producing the online banking site for a
major UK bank I can state that I've never come across any bugs in the SSL
implementation in Mozilla and derivatives (e.g. NS6/7). This browser supports
everything you require for secure transactions and refusing this browser access
is just needlessly restricting the number of people who can view your site
without any problems.

There's a number of reasons people may not want to use Internet Explorer:
- They can't (they're using an operating system that doesn't support it (e.g
Linux) or it has been removed from their system http://98lite.net/)
- IE has a lot of annoying 'features', like the ease of another site to change
the users homepage, or a bit of software can add buttons to the IE toolbar (like
Real Player)
- IE has a number of major security holes that have needed patching and probably
contains more of them 

It's all about accessibility and there's no need to turn away users just for the
sake of it even if they're in the minority, you wouldn't deliberately block
access to a wheelchair user in one of your physical branches just because
they're in the minority, this amounts to the same thing.
Comment 26 Bob Clary [:bc:] 2002-07-15 17:24:57 PDT
*** Bug 157634 has been marked as a duplicate of this bug. ***
Comment 27 David Gasaway 2002-07-15 22:46:56 PDT
Lately, I went after CapitalOne very vigorously on this issue.  This specific
exchange started in mid-June and lasted several weeks.  My final reply was
somewhat  heated, but I'll let others see it, for completeness.  The
conversation was rather long; I'll attach a transcript shortly...
Comment 28 David Gasaway 2002-07-15 22:48:08 PDT
Created attachment 91468 [details]
Attachment for comment #27
Comment 29 Alfonso Martinez 2002-08-01 13:23:10 PDT
*** Bug 160560 has been marked as a duplicate of this bug. ***
Comment 30 Bob Clary [:bc:] 2002-08-08 08:20:41 PDT
*** Bug 161667 has been marked as a duplicate of this bug. ***
Comment 31 Gilles Durys 2002-08-13 16:22:56 PDT
*** Bug 162562 has been marked as a duplicate of this bug. ***
Comment 32 dwp 2002-08-17 15:02:30 PDT
I just spoke to a Capital One tech representative on the phone. He told me that
their "tech team" had found a bug in Netscape 6 and had tried "numerous times"
to contact Netscape about it, but that they hadn't had any luck "getting them to
reprogram their browser". He said that he himself didn't know what the bug was,
because this team doesn't share the bugs they find with customers and other
users. He was a paragon of security through obscurity.

He also referred me to Washington Mutual as an example of another website that
will block Mozilla/Netscape 6. Washington Mutual works just fine.

Basically, I haven't gotten anything honest out of Capital One yet, and I'm
getting ready to give up, but I thought I'd add my own experience into the mix.
Comment 33 Marcus Campbell 2002-08-17 16:02:48 PDT
Sounds like a WONTFIX to me.
Comment 34 Bob Clary [:bc:] 2002-08-17 16:10:25 PDT
don't wontfix my bugs.
Comment 35 Marcus Campbell 2002-08-17 16:36:10 PDT
So is it getting fixed then?
Comment 36 Bob Clary [:bc:] 2002-08-17 16:53:07 PDT
we will see but we are in contact with them and i forwarded the last response
from their tech support to my contact.
Comment 37 Kevin Chen 2002-08-20 19:00:28 PDT
*** Bug 163777 has been marked as a duplicate of this bug. ***
Comment 38 Matthias Versen [:Matti] 2002-09-11 19:29:21 PDT
*** Bug 168087 has been marked as a duplicate of this bug. ***
Comment 39 Jim Berwick 2002-09-19 22:41:28 PDT
Any word on this?  Not to be pushy, but I'm just curious as I'm in the process of emailing them *again* because I'm sick of having to open IE just for ONE website.  
Comment 40 Jeremy M. Dolan 2002-09-20 00:23:33 PDT
Jim: I found it much easier to obtain another credit card and cancel Capital One
than deal with using a windows machine for IE. Unfortunately I doubt my reason
for canceling was passed beyond the confused customer service lady.
Comment 41 Jim Berwick 2002-09-21 12:41:51 PDT
After much of an argument with their support person, I suggested again that if they feel there is a security hole, please contact people on Mozilla's security teams (and I listed names, email addresses, etc).  I finally ended up with this:
Thank you for contacting Capital One.

We appreciate your feedback regarding your inability to use Mozilla and 
Netscape 6.0 or greater to access your online account. I have forwarded 
your concern and suggestion to the appropriate department.  Our goal is to 
provide all of our customers with the highest level of service, and we 
sincerely regret that your experience did not represent that goal.

Sincerely,

J. Halligan
eCorrespondence
Capital One Services


What I feel this means is:
We don't care that you contacted us.  We hate you, we just want your money.

We know you can't use Mozilla or Netscape 6.0+ to access our site and we don't care.  MS gives us kickbacks for it or something.  I have filed this email conversation in the trash where no one else will ever read it, because we don't have an IT department that could look into this.  Our goal is to make money off of you, and we regret that our idiocy may cause you to leave for another company, where we could not make money off you anymore.


That's my loose interpretation
Comment 42 Daniel 2002-09-21 13:31:35 PDT
I just emailed and was told to call about this issue. I was transferred to some
other department that told me that Netscape 7.0 is now compatible with the
website.. The person I talked with was not very tech savvy, but gave me the
number to contact the "Tech department" directly and asked to call during
weekday business hours: 800-483-4857

So now the question is why Netscape 7 is compatible and not Mozilla..
Comment 43 Daniel 2002-09-21 13:43:43 PDT
Just tested with Netscape 7 with no luck. I guess she really didn't know what
she was talking about..
Comment 44 Jim Berwick 2002-09-21 21:04:54 PDT
I have tested:
Mozilla, Netscape 6, Netscape 7 are all blocked still.  Apparently the person you talked too didn't know much.
Comment 45 Boris Zbarsky [:bz] (still a bit busy) 2002-09-21 21:26:15 PDT
*** Bug 170123 has been marked as a duplicate of this bug. ***
Comment 46 Matthias Versen [:Matti] 2002-09-30 10:45:59 PDT
*** Bug 171726 has been marked as a duplicate of this bug. ***
Comment 47 John Vance 2002-10-12 00:38:15 PDT
Created attachment 102659 [details]
Capital One's advanced browser detection :-)

Here's the guilty JavaScript
Comment 48 John Vance 2002-10-12 00:41:07 PDT
There is no workaround in Mozilla due to bug 166395.  That is, overriding the
user agent string does not change the navigator object.  So the check
 
parseInt(navigator.appVersion) 

will return 5 no matter what Mozilla's user agent (general.useragent.override)
is set to.

I suggest people who are committed to Linux use Konqueror 3.0 in the interim -
you can set it to spoof IE 5.5 for just the capitalone.com domain, and it gets
in just fine, since it changes both its user agent string and its navigator object.

FYI, I have attached Crapital One's **** browser sniffer code.  Betcha
anything the "security issue" with Netscape 6 is that its navigator.appVersion
string doesn't start with 4. The contractor who wrote it is long gone, and
nobody in-house knows how to change it.

Comment 49 Debbie Kraft 2002-10-13 03:18:27 PDT
Until the option to change the settings for navigator.appName and
navigator.appVersion along with the user agent,
http://bugzilla.mozilla.org/show_bug.cgi?id=166395, Mozilla is never getting
into the CapitalOne website.  Why?  Because the party or parties that run their
web design department 1) don't care, 2) won't get rid of their stupid Javascript
browser sniffer (why do they need this anyway?  What difference is it which
browser a customer uses as long as it has 128-bit encryption and SSL?) because
of (1), and 3) the first two points are obvious from the latest message I
received from their "web info" department.

I have sent, to date, five e-mail replies to their "web info" department.  All
messages save for the fifth have been replied to with canned replies by
different individuals.  The last message to date was the following:

Thank you for contacting Capital One.

We have carefully reviewed all of your messages regarding the Gecko-Engine 
browsers. Although we understand your concern with the incompatibility 
between our web site and your browser, we are simply not able to support 
your browser. 

Again, thank you for contacting Capital One. 

Sincerely,

J. Halligan
eCorrespondence
Capital One Services

The above is obviously kaka in its purest form.  The only thing keeping Mozilla
from the secure login web page is CapitalOne's Javascript browser sniffer.  Get
past that, and I'm certain there won't be any problems--they *can't* have set
their site up any differently than the other dozens of secure sites that work
just fine with Mozilla.  But this is going to be Mozilla's look-out:  CapitalOne
has no intention, as evidenced by the above reply and the countless requests for
change they've received and ignored over the past year plus regarding this
issue.  The ability to alter appName and appVersion through the prefs is going
to be the key to resolving this tech evangelism issue.  I hope this can be made
possible.

BTW--CapitalOne tops the list of financial sites "locking out" Gecko-based
browsers at http://blue-labs.org/financial-shames.php.  Further proof that there
would be no problem with Gecko-based browsers is the fact that Konqueror (which
spoofs the appName and appVersion along with the UA) works fine when spoofed to
IE.  And that's the icing on the kaka cake.  Bloody #$%@^#$!!

Sorry for a bit of a vent.  Here's hoping for Konqueror-type spoofing soon in
Mozilla!
Comment 50 Paul Harrison 2002-10-13 09:37:13 PDT
C1's bloodymindedness on this issue makes me wonder if "we" ought to be more in
return? If it's necessary to create an appVersion spoofer specifically to get
around a deliberate and entirely unnecessary incompatability, perhaps the
solution is to enhance it further for these kinds of issues:-

I'm thinking in terms of there being a database Mozilla can use for poorly
performing websites. If a user has a problem getting into a site, they can click
an clearly visible button, and the browser will download the appropriate
settings for that site if the site has been registered. But the feature would
have one twist - the feature also opens a frame at the bottom with banner ads
for competing services.

Not that I'm normally a fan of banner ads, but I wonder if Capital One, finding
that Mozilla users are no longer keeping IE and NS4 around simply to access
their pages, and thus that substantial numbers of Capital One online customers
using their website, are being presented with ads for First National Bank, etc,
might suddenly do an about-turn?

I can't see a downside to this proposal. Users can have access to their
accounts. The proposal is actually self funding. The website is encouraged not
to block users of non-monopoly browsers. And users are also presented with
information about more reasonable, clueful, rival companies...

Hehe.
Comment 51 Henri Sivonen (:hsivonen) (Not reading bugmail or doing reviews until 2016-10-03) 2002-10-14 10:07:37 PDT
*** Bug 174368 has been marked as a duplicate of this bug. ***
Comment 52 Frank Wein [:mcsmurf] 2002-10-14 10:16:59 PDT
*** Bug 174368 has been marked as a duplicate of this bug. ***
Comment 53 John Vance 2002-10-14 22:04:31 PDT
Paul,

You want bloody-minded?  Here's bloody-minded.  Capital One's public statements
regarding Netscape 6 and 7 are libelous, plain and simple.   The only
appropriate reply is a cease and desist letter from AOL/Time Warner/Netscape's
crack legal team.

If Netscape is truly serious about recapturing a portion of the browser
"market," then it's high time it acted serious.
Comment 54 Debbie Kraft 2002-10-22 14:37:33 PDT
Well, something new appears to be going on with the CapitalOne login site, and
this is within a week of my e-mail to their web info services dept. on how
Konqueror can spoof the navigator.appVersion identifier.  Something that makes
me go hmmmmm, but I'm not overly excited about it--yet.

Using Moz 1.1, the behavior before was, when one clicked on the login button at
the CapitalOne home page, one was redirected to the static non-compliant browser
page by the Javascript browser sniffer.  This sequence is below, with the cookie
section edition out as noted:

<html>
<head>
<title></title>

<script language="JavaScript">

<!-- //autoexecuting scripts//
/////////// NOW LET'S RE-DIRECT!!! /////////////////////////////////////////

var homeURL = "/home"
var loginURL = "/oas_secure/oas/login.do?objectclicked=LoginSplash"
var registerURL =
"/oas_secure/oas/registration.do?objectclicked=RegistrationSplash"

var arg = window.location.search;

//It checks the app version.
this.major=parseInt(navigator.appVersion);
if (this.major == 4) 
{
         //#### we have the right version of Netscape and IE

         
    //////////// DO THE COOKIE THING////////////////////////////////////////////
                ++Edited Section++
}
else
{
                location.href="/ias_static/non_compliant.html";
}
//-->
</script>

Prior to 10/21, the above was the beginning of the page located at
https://service.capitalone.com/cgi/Home?Login.  However, the coding has now
changed.  Please compare the above with the <a href="Source of:
https://service.capitalone.com/cgi/Home?Login">changed code</a>, noting the
comment marks.

The result of the above page as of 10/22 in Mozilla 1.1 is a blank, white page,
that loads within 0.11 seconds.  As before, both Netscape Communicator 4.7x and
IE have no difficulty displaying the page, which is the main accounts login page
(blanks for login name and password).

Obviously this page *is* being currently modified/altered, but I'm curious as to
what part of the code is resulting in a blank, white page in Moz 1.1.  Anyone
using Moz 1.2b might try this URL as well to see if the result is the same, just
to cover all the bases.  If the designers currently working on the login site
have made an error, I'd like to specifically point it out to them as well as
continuing to bang the drum for Mozilla.

Please reply to Bugzilla so the info is available to the Moz developers.
Comment 55 Debbie Kraft 2002-10-22 14:42:40 PDT
Ack!  Apologies:  my link to the source code for the login page didn't come
through as I thought it would.  Just load the page and then view the source
code.  Apologies again.
Comment 56 tupshin 2002-10-22 15:09:35 PDT
Well the immediate reason that we're getting a blank page is that their
programmers are morons. More specifically, they def:
    var noncompliantURL = "/ias_static/oas/non_compliant.html";
and then try to use:
   location.href = nonCompliantURL;

Note the case sensitivity issues.  I'm not sure how many browsers actually allow
case insensitive variables, but it's obviously (according to JS/Ecma spec) a bug
in their page, and not in Mozilla.
Comment 57 Nate Goldshlag 2002-10-23 04:06:45 PDT
Well, could somebody please get in touch with these "morons" so that I can use
Mozilla to access their web site?  At least they are trying to do something,
let's give them a little break and a little help to fix their problems
Comment 58 Bob Clary [:bc:] 2002-10-23 06:31:53 PDT
we have been in contact with them. hopefully they will change their site soon.
Comment 59 Paul Harrison 2002-10-23 09:12:05 PDT
Whether they're morons or not, it doesn't look like this is an example of them
"trying to fix something" so that Mozilla users can access the site. The
JavaScript is still checking the appVersion against the number 4, a deliberate
hack to prevent Mozilla based browsers from accessing the site.

As an experiment, I tried typing in "javascript: top.cookiecheck()" in the URL
bar (effectively doing what their code would have done if Mozilla had reported
itself as version four), and the code redirected to a page which then redirected
to the standard non-compliant page. I don't have any easy way of grabbing
whatever that intermediate page was, but it looks like they're implementing more
browser checks at a later stage that also prevent Mozilla access.

I think they're taking the ****, not trying to make their page accessable. I'm
actually wondering if this is a different type of response to the "Konqueror
works!" comment Debbie Kraft mentioned - perhaps they're looking for a way to
block that, too...?

Either way, the continuation of this problem leaves me in little doubt that C1
continues to have contempt for its own customers. And I'm completely baffled as
to why this would be.
Comment 60 John Vance 2002-10-26 15:54:06 PDT
People,  Please don't try to clue the morons in.  If you do, next thing you know their browser sniffer code will look something like this:  if (!document.all && !document.layers){    location.href = noncompliantURL; }  and Konqueror will be sunk. 
Comment 61 John S. Musarra 2002-10-26 16:45:06 PDT
A touch of irony - From Netcraft's "What's the SSL site running?" service:
<quote>
HTTPS Server

    Netscape-Enterprise/3.6 SP3

    Supported SSL ciphers:

        * RC4 with MD5
        * RC4 with MD5 (export version restricted to 40-bit key)
        * RC2 with MD5
        * RC2 with MD5 (export version restricted to 40-bit key)
        * DES with MD5
        * Triple DES with MD5 
</quote>
Comment 62 Paul Harrison 2002-10-28 06:34:40 PST
Further to my note, I found why Mozilla is being rejected if you manually bypass
the "broken" page. Subsequent pages include a JavaScript file called
https://service.capitalone.com/ias_static/oas/scripts/browsercheck.js. This
consists of the following code:

  ns4 = (document.layers) ? true:false;
  ie4 = (document.all) ? true:false;
  minor_browser_version = parseFloat(navigator.appVersion);
  agent = navigator.userAgent.toLowerCase();
  is_netscape_navigator = ((agent.indexOf('mozilla')!=-1) &&
(agent.indexOf('spoofer')==-1)
                          && (agent.indexOf('compatible') == -1) &&
(agent.indexOf('opera')==-1)
                          && (agent.indexOf('webtv')==-1) &&
(agent.indexOf('hotjava')==-1));
  cutoff_netscape_below =	4.08;							
								
	// cutoff Netscape 4.X below 4.08, and double test with layers and user-agent
to make sure IE is not cut off															
  if ((ns4) && (is_netscape_navigator != -1) && (minor_browser_version <
cutoff_netscape_below)) location.href="/ias_static/oas/non_compliant.html";			
	
	// cutoff browsers which are neither IE 4/5/6.X nor Netscape 4.X 							
  if (ns4 || ie4) { } 
  else
  {
	    location.href="/ias_static/oas/non_compliant.html";	
  }

Mozilla fails on the if(ns4 || ie4) bit, ie both document.layers and
document.all return "false" values as far as "?" is concerned.

...which is exactly what jvance@swcp.com said would sink Konqueror, which adds
more fuel to the "Capital One is doing this to deliberately and maliciously" fire.

Oh boy.
Comment 63 John Vance 2002-10-28 14:11:07 PST
Yes, it is malicious and intentional.  I've used Konqueror several times for 
bill payment etc with no problems.  They're not checking for document.all or 
document.layers because of browser-specific functionality.  They're doing it 
through sheer bloody-mindedness.

I'm through with this.  I'm transferring my balance on one card tomorrow, and 
refinancing my home equity loan this week.  By the way, last I checked, Fleet's 
website (mycard.fleet.com) worked just fine with Mozilla.  I'll confirm that 
tonight.
Comment 64 John Vance 2002-10-28 14:55:42 PST
Here's a letter I just fired off to Capital One.

Dear Sir or Madam,

I have attempted several times to discuss with you why Mozilla and Netscape 6+ 
are blocked from accessing your site.  All of your answers have been 
nonresponsive.  You have stated that you intended to support these browsers at 
some unspecified time in the future.  Now, after reviewing your latest site 
changes, specifically 

https://service.capitalone.com/ias_static/oas/scripts/browsercheck.js

I see that your statements have been bald-faced lies.  You have no intention of 
supporting these browsers, and in fact you are now actively blocking all of my 
options under Linux, including Opera and Konqueror.

I do not do business with liars.  I do not trust my money in the hands of liars.

I have transferred the entire balance of my account to another card.  I also 
have a $XXXXX home equity loan through Capital One that I will now be 
refinancing elsewhere.  As soon as I have zeroed out these accounts, I shall be 
closing them permanently.

Please provide me with contact information for your CIO so that I may explain 
to him the reasons why I am no longer a customer.  If you do not, I will find 
that information myself, and I will be sure to mention to him your department's 
refusal to comply with this last request.

And please, don't insult my intelligence with one of your canned responses.


Regards,

XXXXXXXXX
Customer since 1997
Comment 65 corey 2002-10-28 16:42:50 PST
For what it's worth, I posted a strongly worded review of Capital One's service,
at Epinions....

http://www.epinions.com/content_78150143620
Comment 66 Michael Lefevre 2002-10-29 08:22:37 PST
*** Bug 177284 has been marked as a duplicate of this bug. ***
Comment 67 Nate Goldshlag 2002-11-07 11:21:21 PST
After getting vague emails from them saying they cannot give me a timeframe for
when this will be fixed, I spoke with their customer service yesterday and they
claimed it is being worked on.  I will believe it when it is fixed but there it is.
Comment 68 Debbie Kraft 2002-11-14 17:13:31 PST
As of 11/14/02, 4:50 PST, I am able to access the CapitalOne <a
href="https://service.capitalone.com/oas/login.do?objectclicked=LoginSplash">online
login webpage</a> using Mozilla 1.1.  It appears the collective evangelizing
done to convince CapitalOne of its foolishness in blocking--at least--Mozilla
has been successful.  Since I'm not using Netscape 7 specifically at this time,
I can't speak to that browser, but I expect the result should be the same.  I'm
hoping that Opera users will benefit as well, and all Linux browser users.

Many thanks to all who beat the drum for Mozilla against CapitalOne's
stubbornness.  I'm mulling over a thank you to CapitalOne's web info e-mail
address, but given their extreme reticence over this issue, and the overall
idiotic customer support responses I received, I'm rather disinclined to extend
any gratitude, even grudgingly.  This was something that a) should have been
changed over a year ago; and b) should not have required such extensive
campaigning to achieve a positive response.

I'll mull it over some more.  Maybe my point of view will soften somewhat over
the coming weekend...  At any rate, it is *very* good to see that the business
behind this site has taken off their browser blinders and re-coded their site. 
Given that CapitalOne was such a *major* holdout in this area, I'm hoping other
problem sites will follow suit.

I'm leaving the bug marked as "reopened" until it's felt that it can be
officially closed/completed.

Yea, Mozilla (weak cheer after so much arguing with ignorant personnel).
Comment 69 Aaron Kaluszka 2002-11-14 17:20:04 PST
Works with Phoenix, too.  Marking fixed.  Please reopen if they break it again.
Comment 70 John Vance 2002-11-15 14:21:37 PST
It looks intentional, and it lets Mozilla in, but it's still broken code.

The entire contents of browsercheck.js is:

// deprecated 10.17.2002 (3.6)

The browser sniffing code that is now in use checks for document.layers and 
document.all.  If document.all is not found, it also checks that the browser 
claims it's "Mozilla" but not "compatible", "opera", "webtv" or "hotjava"

Then it does this:

If you don't have layers, AND you're really a Mozilla, AND you're before 
version 4.08, get lost.

So, all javascript-enabled browsers EXCEPT Netscape 4.07 and earlier are 
allowed past.  Actually, since layers were introduced with version 4.0 (I 
believe) this code does not even cut off Nav 4.0 - 4.07.  Anyone care to test 
this with IE 3, NS 4.0, etc?

Here's the guilty code: 

 // #### cut off Netscape 4.X below 4.08, and double test with layers and user-
agent to make sure IE is not cut off						
									
ns4 = (document.layers) ? true:false;
ie4 = (document.all) ? true:false;
minor_browser_version = parseFloat(navigator.appVersion);
agent = navigator.userAgent.toLowerCase();
is_netscape_navigator = ((agent.indexOf('mozilla')!=-1) && (agent.indexOf
('spoofer')==-1)
                        && (agent.indexOf('compatible') == -1) && (agent.indexOf
('opera')==-1)
                        && (agent.indexOf('webtv')==-1) && (agent.indexOf
('hotjava')==-1));
cutoff_netscape_below =	4.08;
if (!ie4) {
	if ((!ns4) && (is_netscape_navigator != -1) && (minor_browser_version < 
cutoff_netscape_below)) location.href = nonCompliantURL;
}

My concern is, if these people can't even write a proper if statement, can they 
be trusted not to screw it up again?
Comment 71 Lythande 2002-11-16 00:34:15 PST
Due to the image-confirmation issues, I'm still using build ID: 2002043010, and
now not only can I not get to the online access, I can't even get to the front
page!  When it doesn't tell me it can't find the root (/) directory/file, it
shows me a blank page and goes no further.  Bah!
Comment 72 Nick Bebout 2003-06-12 20:13:45 PDT
Moving to new component

Note You need to log in before you can comment on or make changes to this bug.