Nov 28, 2013 3:44 PM
Volunteer Moderator Leeds, UK
No PM's please
The curse of McAfee's user-hostile interfaces strikes again, this time on the SiteAdvisor user-review comments page (AGAIN).
Entering a correct reviewer name and a correct password fails to register with the website : you just get presented with the name/password boxes again.
[blocked] The page at 'https://user.siteadvisor.com/forums/login.php' was loaded over HTTPS, but ran insecure content from 'http://www.siteadvisor.com/cs.psp?bbsessionhash=e3194b23e6c3235abc2a7a1611c…1416 432388&bbid=394824&bbpassword=547b6606385b9a15c6251f56c84bf7c8543d9e80': this content should also be loaded over HTTPS.
This is ridiculous. it's been going for ever and has been reported over and over again. I don't care if there's only one person left in the department to do all the program changes, this one is easy enough to fix and should have been done months ago.
Not in a good mood anyway, and this doesn't help.
Message was edited by: Hayton on 28/11/13 21:44:17 GMT
I agree about not helping to be in a bad mood...I'm not in any mood for nonsense and the reviewer page caused me to attempt log in about 10 or 12 times before it took.
All I can suggest is try another browser perhaps?
I've experienced the same issue on my end many times. It typically takes multiple log-in attempts before I may be able to get on. Perhaps the SA staff no longer values the input/site reviews from what volunteer reviewers are still left?
Message was edited by: spc3rd on 11/28/13 7:19:17 PM EST
The login doesn't work in Firefox either. The reason is that the page is HTTPS but is taking active content from a source which is using HTTP.
Now, you could say that reverting to HTTP should cure the problem. And so it might. But that's like advising someone not to bother with password protection if they have trouble remembering their password. HTTPS should be the default level of connection security, and any site which supposedly offers that protection should not be allowing mixed content on the page. What we have here is even worse than that - the login setup is needlessly convoluted, with the apparent login page feeding content through to a separate (secure) login page over an insecure connection. Arcane, or what?
[23:56:25.003] user.siteadvisor.com : server does not support RFC 5746, see CVE-2009-3555
Oh yes, and we STILL have the situation where the SiteAdvisor server doesn't support RFC 5746. If the patches haven't been applied this leaves the whole session open to a MITM attack. It's a theoretical weakness right up to the moment when suddenly it's not.
This weakness was discovered in 2009 and it must be two years since I first drew it to Mcafee's attention via a conference call. It looks as if nothing has been done yet. That is glacial progress.
The CVE-2009-3555 error message in the Tools > Error Console should not prevent from accessing that website. This may change in the future, but currently it is only to make the administrators of a server aware that they need to fix that security vulnerability in their server and install a patch.
In 2009, a flaw was discovered in the SSL/TLS protocol which is widely used in Internet applications, for example when accessing web content via an address prefixed with “https”.
This flaw could allow a ‘man-in-the-middle’ (MITM), to be able to inject data into a connection between an Internet client and an Internet server, and potentially allow an attacker to execute commands using the credentials of an authorised user, or to even collect authentication credentials of authorised users.
This security flaw has been labled CVE-2009-3555 and is (being) described in more detail:
Because the flaw is not limited to any specific software implementation, but is rather a fundamental protocol design flaw, a lot of software using SSL/TLS is vulnerable.
Scope and Discussion
The attack is related to a SSL/TLS protocol feature called session renegotiation. The discovered vulnerability could be used to manipulate data received by a client or by a server. For example, a server is vulnerable if it is configured to allow session renegotiation, but is not yet using updated software.
One way to protect against the attack is to disable session renegotiation on the server. Hopefully, most Internet servers that do not yet support RFC 5746 have followed the recommendation and disabled the renegotiation feature.
Unfortunately, when a server is using the vulnerable SSL/TLS protocol version, it is impossible for the browser to know whether a site is protected or vulnerable (i.e whether session renegotiation is enabled or disabled on the server).
Because of this uncertainty, when using the existing SSL/TLS protocol versions, Firefox does not know whether a server is vulnerable. Firefox, therefore, is unable to determine whether a connection has been attacked.
In order to ascertain that SSL/TLS sessions are protected, Internet deployments using SSL/TLS must be upgraded to support the new protocol enhancement described in RFC 5746.
Message was edited by: Hayton on 29/11/13 00:56:00 GMT
Message was edited by: Hayton on 29/11/13 01:23:21 GMT
I wish I had a suggestion. It worked for me, after a lot of tries.
Oh, hoo-ray. I finally got it to work in IE. But look at the hoops I had to jump through to get it to work.
It looks to me like you aren't using default settings....is that correct? In which case I woiuld have thought abnormal behaviour is to be expected. I could be wrong of course and probably am.
Correct, my IE settings are not the default. That's because I've tried to strengthen security wherever possible. Privacy settings are set to High, which does cause occasional problems with cookies.
SiteAdvisor is in the Trusted Sites zone, which is very lax indeed by default. I tightened that up a bit by making two important changes, which creates the hoops to jump through -
Display Mixed Content : Prompt
Websites in less privileged web content zone can navigate into this zone : Prompt.
Oddly, IE logs me in to SA even though the login cookie is blocked.
'Oddly' is a good word for the way it works, ;-)
"Odd" scarcely begins to describe it. I just finished writing a long review of that website (which markets spyware and keyloggers) and hit Submit. I then got presented with ...
Sometimes I think this is just a waste of time.