The curse of McAfee's user-hostile interfaces strikes again, this time on the SiteAdvisor user-review comments page (AGAIN).
Entering a correct reviewer name and a correct password fails to register with the website : you just get presented with the name/password boxes again.
The Chrome javascript console shows the following message which may be relevant
[blocked] The page at 'https://user.siteadvisor.com/forums/login.php' was loaded over HTTPS, but ran insecure content from 'http://www.siteadvisor.com/cs.psp?bbsessionhash=e3194b23e6c3235abc2a7a1611c…1416432388&bbid=394824&b...': this content should also be loaded over HTTPS.
This is ridiculous. it's been going for ever and has been reported over and over again. I don't care if there's only one person left in the department to do all the program changes, this one is easy enough to fix and should have been done months ago.
Not in a good mood anyway, and this doesn't help.
The login doesn't work in Firefox either. The reason is that the page is HTTPS but is taking active content from a source which is using HTTP.
Now, you could say that reverting to HTTP should cure the problem. And so it might. But that's like advising someone not to bother with password protection if they have trouble remembering their password. HTTPS should be the default level of connection security, and any site which supposedly offers that protection should not be allowing mixed content on the page. What we have here is even worse than that - the login setup is needlessly convoluted, with the apparent login page feeding content through to a separate (secure) login page over an insecure connection. Arcane, or what?
Edit :
[23:56:25.003] user.siteadvisor.com : server does not support RFC 5746, see CVE-2009-3555
Oh yes, and we STILL have the situation where the SiteAdvisor server doesn't support RFC 5746. If the patches haven't been applied this leaves the whole session open to a MITM attack. It's a theoretical weakness right up to the moment when suddenly it's not.
This weakness was discovered in 2009 and it must be two years since I first drew it to Mcafee's attention via a conference call. It looks as if nothing has been done yet. That is glacial progress.
The CVE-2009-3555 error message in the Tools > Error Console should not prevent from accessing that website. This may change in the future, but currently it is only to make the administrators of a server aware that they need to fix that security vulnerability in their server and install a patch.
https://wiki.mozilla.org/Security:Renegotiation
Background
In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https”.
This flaw could allow a ‘man-in-the-middle’ (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users.
This security flaw has been labled CVE-2009-3555 and is (being) described in more detail:
Because the flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable.
Scope and Discussion
The attack is related to a SSL/TLS protocol feature called session renegotiation. The discovered vulnerability could be used to manipulate data received by a client or by a server. For example, a server is vulnerable if it is configured to allow session renegotiation, but is not yet using updated software.
One way to protect against the attack is to disable session renegotiation on the server. Hopefully, most Internet servers that do not yet support RFC 5746 have followed the recommendation and disabled the renegotiation feature.
Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server).
Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.
An enhanced SSL/TLS protocol version has been finalized and is now published as RFC 5746.
Action
In order to ascertain that SSL/TLS sessions are protected, Internet deployments using SSL/TLS must be upgraded to support the new protocol enhancement described in RFC 5746.
Message was edited by: Hayton on 29/11/13 00:56:00 GMT
Message was edited by: Hayton on 29/11/13 01:23:21 GMTOh, hoo-ray. I finally got it to work in IE. But look at the hoops I had to jump through to get it to work.
Correct, my IE settings are not the default. That's because I've tried to strengthen security wherever possible. Privacy settings are set to High, which does cause occasional problems with cookies.
SiteAdvisor is in the Trusted Sites zone, which is very lax indeed by default. I tightened that up a bit by making two important changes, which creates the hoops to jump through -
Display Mixed Content : Prompt
Websites in less privileged web content zone can navigate into this zone : Prompt.
Oddly, IE logs me in to SA even though the login cookie is blocked.
"Odd" scarcely begins to describe it. I just finished writing a long review of that website (which markets spyware and keyloggers) and hit Submit. I then got presented with ...
Sometimes I think this is just a waste of time.
How Many Badges Can You Collect?
Community Help Hub
- Find Forum FAQs
- Learn How to Earn Badges
- Ask for Help
New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.
Join the Community
- Get helpful solutions from McAfee experts.
- Stay connected to product conversations that matter to you.
- Participate in product groups led by McAfee employees.
Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:
