X
Tap here to go to the mobile version of the site.

Support Forum

After updating to 36.0.1 this morning my online banking website for Intelligent Finance is no longer secure: https://my.if.com/Security/Auth/Logon

Posted

Always had the green padlock until this update. When I click on the orange triangle it tells me: “Connection partially encrypted. Parts of the page you are viewing are not encrypted or the encryption is not strong enough before being transmitted over the internet. Information sent over the internet without encryption can be seen by other people while it is in transit.” Yet when I open the same page in Internet Explorer there’s a gold padlock which states “ fully encrypted” when clicked and certificate issued by VeriSign. Can others please confirm that that they also cannot access the fully encrypted page on https://my.if.com/Security/Auth/Logon via Firefox 36.0.1 so that I can be sure the problem solely relates to this latest Firefox version? If so, is there any solution other than to use I.E. and hope the next update fixes the bug?

Always had the green padlock until this update. When I click on the orange triangle it tells me: “Connection partially encrypted. Parts of the page you are viewing are not encrypted or the encryption is not strong enough before being transmitted over the internet. Information sent over the internet without encryption can be seen by other people while it is in transit.” Yet when I open the same page in Internet Explorer there’s a gold padlock which states “ fully encrypted” when clicked and certificate issued by VeriSign. Can others please confirm that that they also cannot access the fully encrypted page on https://my.if.com/Security/Auth/Logon via Firefox 36.0.1 so that I can be sure the problem solely relates to this latest Firefox version? If so, is there any solution other than to use I.E. and hope the next update fixes the bug?

Additional System Details

Installed Plug-ins

  • Adobe PDF Plug-In For Firefox and Netscape 11.0.10
  • Google Update
  • NPRuntime Script Plug-in Library for Java(TM) Deploy
  • Next Generation Java Plug-in 11.40.2 for Mozilla browsers
  • McAfee MSC FF plugin DLL
  • McAfee Virtual Technician plugin
  • Shockwave Flash 16.0 r0
  • 5.1.30514.0
  • VLC media player Web Plugin 2.1.3
  • Windows Presentation Foundation (WPF) plug-in for Mozilla browsers

Application

  • Firefox 36.0.1
  • User Agent: Mozilla/5.0 (Windows NT 6.0; rv:36.0) Gecko/20100101 Firefox/36.0
  • Support URL: https://support.mozilla.org/1/firefox/36.0.1/WINNT/en-GB/

Extensions

  • about:addons-memory 10 (about-addons-memory@tn123.org)
  • Adblock Plus 2.6.7 ({d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d})
  • Classic Theme Restorer 1.2.9.6 (ClassicThemeRestorer@ArisT2Noia4dev)
  • McAfee Security Scan Plus 1.0 ({e4f94d1e-2f53-401e-8885-681602c0ddd8})
  • McAfee SiteAdvisor 3.7.2 ({4ED1F68A-5463-4931-9384-8FFF5ED91D92})
  • Microsoft .NET Framework Assistant 0.0.0 ({20a82645-c095-46ed-80e3-08825760534b}) (Inactive)

Javascript

  • incrementalGCEnabled: True

Graphics

  • adapterDescription: ATI Radeon HD 2600 XT
  • adapterDescription2:
  • adapterDeviceID: 0x9588
  • adapterDeviceID2:
  • adapterDrivers: atiumdag atiumdva atitmmxx
  • adapterDrivers2:
  • adapterRAM: Unknown
  • adapterRAM2:
  • adapterSubsysID: 25421028
  • adapterSubsysID2:
  • adapterVendorID: 0x1002
  • adapterVendorID2:
  • direct2DEnabled: False
  • direct2DEnabledMessage: [u'tryNewerDriver', u'9.6']
  • directWriteEnabled: False
  • directWriteVersion: 0.0.0.0
  • driverDate: 7-31-2007
  • driverDate2:
  • driverVersion: 8.402.0.0
  • driverVersion2:
  • info: {u'AzureCanvasBackend': u'skia', u'AzureFallbackCanvasBackend': u'cairo', u'AzureContentBackend': u'cairo', u'AzureSkiaAccelerated': 0}
  • isGPU2Active: False
  • numAcceleratedWindows: 0
  • numAcceleratedWindowsMessage: [u'tryNewerDriver', u'9.6']
  • numTotalWindows: 1
  • webglRendererMessage: [u'tryNewerDriver', u'9.6']
  • windowLayerManagerRemote: True
  • windowLayerManagerType: Basic

Modified Preferences

Misc

  • User JS: No
  • Accessibility: No
jscher2000
  • Top 10 Contributor
8695 solutions 71066 answers

In Firefox 36.0, there is a gray triangle with an exclamation point; I don't have 36.0.1 on this PC yet.

Google Chrome's connection description (attached) probably identifies the problem: the server uses an older RC4 cipher that is no longer considered secure in Firefox 36.0 and higher, so you get the triangle instead of the padlock.

I'm not sure when (?!) Firefox will have better explanations for this issue in the user interface: it's definitely hard to distinguish from other reasons for that icon.

In Firefox 36.0, there is a gray triangle with an exclamation point; I don't have 36.0.1 on this PC yet. Google Chrome's connection description (attached) probably identifies the problem: the server uses an older RC4 cipher that is no longer considered secure in Firefox 36.0 and higher, so you get the triangle instead of the padlock. I'm not sure when (?!) Firefox will have better explanations for this issue in the user interface: it's definitely hard to distinguish from other reasons for that icon.
cor-el
  • Top 10 Contributor
  • Moderator
17475 solutions 157940 answers

Helpful Reply

Firefox use this cipher for me: TLS_RSA_WITH_RC4_128_MD5 If I disable security.ssl3.rsa_rc4_128_md5 then I get this error:

An error occurred during a connection to my.if.com. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)

So it looks that the server really needs to update its software and install support for more up to date ciphers.

Firefox use this cipher for me: TLS_RSA_WITH_RC4_128_MD5 If I disable security.ssl3.rsa_rc4_128_md5 then I get this error: <blockquote>An error occurred during a connection to my.if.com. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert) </blockquote> So it looks that the server really needs to update its software and install support for more up to date ciphers.

Question owner

Thanks to both of the helpful explanations. So it's not Firefox at fault, but the bank's software. That really is disgraceful that a UK bank, ultimately owned by Lloyds banking group, is potentially exposing customers bank accounts by using obsolete insecure cryptography. I supose my only resource is to complain and bring this to the attentiom of Intelligent Finance bank?

To cor-el, How does one disable security.ssl3.rsa_rc4_128_md5?

Thanks to both of the helpful explanations. So it's not Firefox at fault, but the bank's software. That really is disgraceful that a UK bank, ultimately owned by Lloyds banking group, is potentially exposing customers bank accounts by using obsolete insecure cryptography. I supose my only resource is to complain and bring this to the attentiom of Intelligent Finance bank? To cor-el, How does one disable security.ssl3.rsa_rc4_128_md5?
the-edmeister
  • Top 25 Contributor
  • Moderator
5399 solutions 40149 answers

Helpful Reply

Type about:config in the Location Bar and hit Enter. accept the warning message

Paste security.ssl3.rsa_rc4_128_md5 in the Search field at the top.

Then double-click that one pref below where it says Preference Name - Status - Type - Value to toggle that pref to false. Then close / restart Firefox.

Type '''about:config''' in the Location Bar and hit '''Enter'''. ''accept the warning message'' Paste '''security.ssl3.rsa_rc4_128_md5''' in the Search field at the top. Then double-click that one pref below where it says '''''Preference Name - Status - Type - Value''''' to toggle that pref to '''false'''. Then close / restart Firefox.

Question owner

Thank you, the-edmeister. At least I now know the culprit is my bank's servers and not the Firefox update. How much risk, in reality, do people think I'm taking if I continue to login online to the bank with it's current encryption? I do need to access my accounts on a regular basis. I suppose using I.E. wouldn't be any more secure than using Firefox, just because I.E. hasn't yet identified the obsolete cryptography?

Thank you, the-edmeister. At least I now know the culprit is my bank's servers and not the Firefox update. How much risk, in reality, do people think I'm taking if I continue to login online to the bank with it's current encryption? I do need to access my accounts on a regular basis. I suppose using I.E. wouldn't be any more secure than using Firefox, just because I.E. hasn't yet identified the obsolete cryptography?
cor-el
  • Top 10 Contributor
  • Moderator
17475 solutions 157940 answers

Firefox still uses the HTTPS protocol to connect to the server. Only the cipher suite that is used is no longer considered strong enough and that is why you won't see the padlock. As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software.

Firefox still uses the HTTPS protocol to connect to the server. Only the cipher suite that is used is no longer considered strong enough and that is why you won't see the padlock. As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software.

Question owner

cor-el said

As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software.

So you think there's very little risk of any traffic between my computer and the Intelligent Finance website being read by anyone in transit, even with the server's weak encryption?

''cor-el [[#answer-700465|said]]'' <blockquote> As long as Firefox or you do not disable this cipher suite then you will still be able to connect to servers. All websites that use weak ciphers will have to update their software. </blockquote> So you think there's very little risk of any traffic between my computer and the Intelligent Finance website being read by anyone in transit, even with the server's weak encryption?
silkblooms 1 solutions 8 answers

I've tried all of these recommendations and none of them help. I still get a triangle with an exclamation mark instead of a padlock. Here are some screenshots of the error::

http://www.silkblooms.co.uk/images/prototypes/ssl3.jpg http://www.silkblooms.co.uk/images/prototypes/ssl2.jpg http://www.silkblooms.co.uk/images/prototypes/ssl1.jpg

The SSL certificate is modern, up-to-date with the latest technology and I have no proxy settings in the tools>options>advanced>Network>connection>settings area (so it's not that).

Can anyone help me diagnose the issue on my own website in particular?

Thanks in advance for any help or advice you can offer.

I've tried all of these recommendations and none of them help. I still get a triangle with an exclamation mark instead of a padlock. Here are some screenshots of the error:: http://www.silkblooms.co.uk/images/prototypes/ssl3.jpg http://www.silkblooms.co.uk/images/prototypes/ssl2.jpg http://www.silkblooms.co.uk/images/prototypes/ssl1.jpg The SSL certificate is modern, up-to-date with the latest technology and I have no proxy settings in the tools>options>advanced>Network>connection>settings area (so it's not that). Can anyone help me diagnose the issue on my own website in particular? Thanks in advance for any help or advice you can offer.
philipp
  • Top 25 Contributor
  • Moderator
5306 solutions 23424 answers

@silkblooms, let's continue the discussion in the thread that you have created at https://support.mozilla.org/en-US/questions/1051000

@silkblooms, let's continue the discussion in the thread that you have created at https://support.mozilla.org/en-US/questions/1051000